File analytics systems and methods including retrieving metadata from file system snapshots

ABSTRACT

Examples of file analytics systems are described that may obtain metadata data from a virtualized file server using a snapshot of the file virtualized file. The analytics system may mount a snapshot to retrieve metadata used in determining an overall size, structure, owner, permissions, and/or storage locations of parts of a file system managed by the virtualized file server. The analytics tool may communicate directly with each of file server virtual machines of the virtualized file server during the metadata collection process to retrieve the respective portions of the metadata. During the metadata collection process, the analytics system may add a checkpoint or marker (e.g., index) after every completed metadata transaction to indicate where it left off accessing the metadata snapshots. The checkpoint may allow the analytics system to return to the checkpoint to resume the process should the process be interrupted for some reason.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority to Indian Provisional Application No. 202111015328 filed Mar. 31, 2021 and Indian Provisional Application No. 202111019888 filed Apr. 30, 2021. The aforementioned applications are incorporated herein by reference, in their entirety, for any purpose.

TECHNICAL FIELD

Examples described herein relate generally to distributed file server systems. Examples of file analytics systems are described which may obtain events from the distributed file server, and generate metrics based on the same. Examples of file analytics systems that retrieve metadata from snapshots of the file system are described.

BACKGROUND

Data, including files, are increasingly important to enterprises and individuals. The ability to store significant corpuses of files is important to operation of many modern enterprises. Existing systems that store enterprise data may be complex or cumbersome to interact with in order to quickly or easily establish what actions have been taken with respect to the enterprise's data and what attention may be needed from an administrator. In addition, an incomplete catalog of the file system may result in an incomplete analysis of the enterprise data to determine usage characteristics and to detect anomalies.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a schematic illustration of a distributed computing system hosting a virtualized file server and a file analytics system arranged in accordance with examples described herein.

FIG. 1B illustrates an example hierarchical structure of a portion of the VFS of FIG. 1A according to particular embodiments.

FIG. 2A is a schematic illustration of a clustered virtualization environment implementing a virtualized file server and a file analytics system according to particular embodiments.

FIG. 2B is an example procedure which may be implemented by a monitoring process to raise alerts in accordance with examples described herein.

FIG. 3 is a schematic illustration of a system including a flow diagram for ingestion of information from a virtualized file server (VFS) by an analytics virtual machine according to particular embodiments.

FIG. 4 and FIG. 5 depict exemplary user interfaces showing various analytic data based on file server events, according to particular embodiments.

FIG. 6 depicts an example user interface reporting various anomaly-related data, according to particular embodiments.

FIG. 7 illustrates a clustered virtualization environment implementing file server virtual machine of a virtualized file server (VFS) and an analytics VM according to particular embodiments.

FIG. 8 depicts a block diagram of components of a computing node (e.g., device) in accordance with embodiments of the present disclosure.

DETAILED DESCRIPTION

Examples described herein include metadata and events based file analytics systems for hyper-converged scale out distributed file storage systems. Embodiments presented herein disclose a file analytics system which may to retrieve, organize, aggregate, and/or analyze information pertaining to a file system. Information about the file system may be stored in an analytics datastore. The file analytics system may query or monitor the analytics datastore to provide information (e.g., to an administrator) in the form of display interfaces, reports, and alerts and/or notifications. In some examples, the file analytics system may be hosted on a computing node, whether standalone or on a cluster of computing nodes. In some examples, the file analytics system may interface with a file system managed by a distributed virtualized file server (VFS) hosted on a cluster of computing nodes. An example VFS may provide for shared storage (e.g., across an enterprise), failover and backup functionalities, as well as scalability and security of data stored on the VFS.

In some examples, the information retrieved or received by the analytics tool may include event data records and metadata. The metadata collection process may include gathering the overall size, structure, storage locations of parts of the file system managed by the file server, as well as details (e.g., file size, allocated storage quota, creation and/or modification information, owner information, permissions information, etc.) for each data item (e.g., file, folder, directory, share, etc.) in the file system. In some examples, the metadata collection process rely on scanning one or more snapshots of the file system managed by the file server to gather the metadata, such as one or more snapshots generated by a disaster recovery application of the file server. The analytics tool may use the information gathered from the one or more snapshots to develop a comprehensive picture of the file system managed by the file server. In some examples, the analytics tool may employ multiple threads to perform scan the snapshots in parallel. The multiple threads may be employed to scan different shares in parallel, different files of a common share in parallel, or any combination thereof.

In some examples, the analytics tool may mount a particular snapshot of the file server to scan at least a portion of the file system to retrieve some of the metadata of the file system. In some examples, the analytics tool may communicate directly with each of the file server virtual machines of the file server during the metadata collection process to retrieve the respective portions of the metadata. In other examples, the analytics tool may communicate directly with another application or service of the distributed computing system, such as a disaster recovery service or application. In some examples, during the metadata scan, the file server or related application and/or the analytics tool may add a checkpoint or marker (e.g., index) after every completed metadata transaction to indicate where it left off scanning the metadata snapshots. The checkpoint may allow the analytics tool to return to the checkpoint to resume the scan should the scan be interrupted for some reason. Without the checkpoint, the metadata scan may start anew, creating duplicate metadata records in the events log that need to be resolved.

In addition, when successive snapshots are analyzed, the analytics tool may generate event data based on differences between the two snapshots. For example, if the metadata of a first snapshot indicates that a particular share has a first size and the metadata of a second snapshot indicates that the particular share has a second size, the analytics tool may generate an event that the size of the particular file was changed. Other types of events may be derived if a metadata comparison between two snapshots reveals that a file/folder/share/directory/etc. is added, removed, or some characteristic has been changed without departing from the scope of the disclosure.

In some examples, the shares of the file system may be sharded (e.g., distributed across multiple FSVMs), which may impact capturing of a complete set of metadata for the file system. Thus, as part of the metadata collection process, a distributed file protocol, e.g., DFS, may be used to obtain a collection of FSVM IDs (e.g., IP addresses) to be mounted to access a full share. However, in some examples, the analytics tool may be implemented using a Linux client or other client that may not support DFS referrals or other distributed file protocol to obtain identification of which FSVMs host which files (e.g., which shares). Typically, files may be sharded across multiple FSVMs based on their top-level directory (e.g., an initial folder such as \\enterprise\hr in the file system may include files and/or lower level folders stored across multiple FSVMs).

Accordingly, if a snapshot for a portion of a share hosted by one FSVM is mounted, the analytics tool may identify all folders (e.g., top-level directories), but not all data for the share may be available via the snapshot. Rather, some of the data may be hosted on other FSVMs. In some examples, the analytics tool may map top-level directories to FSVMs using one or more snapshots and/or differential snapshots, and then may use that information to traverse other snapshots and/or differential snapshots for the remaining directories. So, for example, the analytics tool may identify that a first FSVM and a second FSVM may host a particular top-level (e.g., root) directory when scanning a particular snapshot. In order to scan all of the metadata for that top-level directory, snapshots created for the portions of the top-level directory for both of the FSVMs may be accessed and scanned. In this manner, all data in the top-level directory (e.g., across a distributed SMB share) may be scanned by the analytics tool, even without use of a DFS Referral.

Certain details are set forth herein to provide an understanding of described embodiments of technology. However, other examples may be practiced without various of these particular details. In some instances, well-known circuits, control signals, timing protocols, and/or software operations have not been shown in detail in order to avoid unnecessarily obscuring the described embodiments. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented here.

FIG. 1A is a schematic illustration of a distributed computing system 100 hosting a virtualized file server and a file analytics system arranged in accordance with examples described herein. The system 100, which may be a virtualized system and/or a clustered virtualized system, includes a virtualized file server (VFS) 160 and an analytics VM 170. While shown as a virtual machine, examples of analytics applications may be implemented using one or more virtual machines, containers or both. The analytics application, e.g., analytics VM 170, may retrieve, organize, aggregate, and/or analyze information pertaining to the VFS 160. Data collected by the analytics application may be stored in an analytics datastore 190. The analytics datastore may be distributed across the various storage devices shown in FIG. 1A in some examples. While shown as hosted in a same computing system cluster as hosts the VFS 160, the analytics VM 170 and/or analytics datastore may in other examples be outside the cluster and in communication with the cluster. In some examples the analytics VM and/or analytics data store may be provided as a hosted solution in one or more cloud computing platforms.

The system of FIG. 1A can be implemented using a distributed computing system. Distributed computing systems generally include multiple computing nodes (e.g., physical computing resources)—host machines 102, 106, and 104 are shown in FIG. 1A—that may manage shared storage, which may be arranged in multiple tiers. The storage may include storage that is accessible through network 154, such as, by way of example and not limitation, cloud storage 108 (e.g., which may be accessible through the Internet), network-attached storage 110 (NAS) (e.g., which may be accessible through a LAN), or a storage area network (SAN). Examples described herein may also or instead permit local storage 136, 138, and 140 that is incorporated into or directly attached to the host machine and/or appliance to be managed as part of storage pool 156. Accordingly, the storage pool may include local storage of one or more of the computing nodes in the system, storage accessible through a network, or both local storage of one or more of the computing nodes in the system and storage accessible over a network. Examples of local storage may include solid state drives (SSDs), hard disk drives (HDDs, and/or “spindle drives”), optical disk drives, external drives (e.g., a storage device connected to a host machine via a native drive interface or a serial attached SCSI interface), or any other direct-attached storage. These storage devices, both direct-attached and/or network-accessible, collectively form storage pool 156. Virtual disks (or “vDisks”) may be structured from the physical storage devices in storage pool 156. A vDisk generally refers to a storage abstraction that is exposed by a component (e.g., a virtual machine, hypervisor, and/or container described herein) to be used by a client (e.g., a user VM, such as user VM 112). In examples described herein, controller VMs—e.g., controller VM 124, 126, and/or 128 of FIG. 1A may provide access to vDisks. In other examples, access to vDisks may additionally or instead be provided by one or more hypervisors (e.g., hypervisor 130, 132, and/or 134). In some examples, the vDisk may be exposed via iSCSI (“internet small computer system interface”) or NFS (“network file system”) and may be mounted as a virtual disk on the user VM. In some examples, vDisks may be organized into one or more volume groups (VGs).

Each host machine 102, 104, 106 may run virtualization software. Virtualization software may include one or more virtualization managers (e.g., one or more virtual machine managers, such as one or more hypervisors, and/or one or more container managers). Examples of hypervisors include NUTANIX AHV, VMWARE ESX(I), MICROSOFT HYPER-V, DOCKER hypervisor, and REDHAT KVM. Examples of container managers including Kubernetes. The virtualization software shown in FIG. 1A includes hypervisors 130, 132, and 134 which may create, manage, and/or destroy user VMs, as well as manage the interactions between the underlying hardware and user VMs. While hypervisors are shown in FIG. 1A, containers may be used additionally or instead in other examples. User VMs may run one or more applications that may operate as “clients” with respect to other elements within system 100. While shown as virtual machines in FIG. 1A, containers may be used to implement client processes in other examples. Hypervisors may connect to one or more networks, such as network 154 of FIG. 1A to communicate with storage pool 156 and/or other computing system(s) or components.

In some examples, controller virtual machines, such as CVMs 124, 126, and 128 of FIG. 1A are used to manage storage and input/output (“I/O”) activities according to particular embodiments. While examples are described herein using CVMs to manage storage I/O activities, in other examples, container managers and/or hypervisors may additionally or instead be used to perform described CVM functionality. The arrangement of virtualization software should be understood to be flexible. In some examples, CVMs act as the storage controller. Multiple such storage controllers may coordinate within a cluster to form a unified storage controller system. CVMs may run as virtual machines on the various host machines, and work together to form a distributed system that manages all the storage resources, including local storage, network-attached storage 110, and cloud storage 108. The CVMs may connect to network 154 directly, or via a hypervisor. Since the CVMs run independent of hypervisors 130, 132, 134, in examples where CVMs provide storage controller functionally, the system may be implemented within any virtual machine architecture, since the CVMs of particular embodiments can be used in conjunction with any hypervisor from any virtualization vendor. In other examples, the hypervisor may provide storage controller functionality and/or one or containers may be used to provide storage controller functionality (e.g., to manage I/O request to and from the storage pool 156).

A host machine may be designated as a leader node within a cluster of host machines. For example, host machine 104, as indicated by the asterisks, may be a leader node. A leader node may have a software component designated to perform operations of the leader. For example, CVM 126 on host machine 104 may be designated to perform such operations. A leader may be responsible for monitoring or handling requests from other host machines or software components on other host machines throughout the virtualized environment. If a leader fails, a new leader may be designated. In particular embodiments, a management module (e.g., in the form of an agent) may be running on the leader node.

Virtual disks may be made available to one or more user processes. In the example of FIG. IA, each CVM 124, 126, and 128 may export one or more block devices or NFS server targets that appear as disks to user VMs 112, 114, 116, 118, 120, and 122. These disks are virtual, since they are implemented by the software running inside CVMs 124, 126, and 128. Thus, to user VMs, CVMs appear to be exporting a clustered storage appliance that contains some disks. User data (e.g., including the operating system in some examples) in the user VMs may reside on these virtual disks.

Performance advantages can be gained in some examples by allowing the virtualization system to access and utilize local storage 136, 138, and 140. This is because I/O performance may be much faster when performing access to local storage as compared to performing access to network-attached storage 110 across a network 154. This faster performance for locally attached storage can be increased even further by using certain types of optimized local storage devices, such as SSDs.

As a user process (e.g., a user VM) performs I/O operations (e.g., a read operation or a write operation), the I/O commands may be sent to the hypervisor that shares the same server as the user process, in examples utilizing hypervisors. For example, the hypervisor may present to the virtual machines an emulated storage controller, receive an I/O command and facilitate the performance of the I/O command (e.g., via interfacing with storage that is the object of the command, or passing the command to a service that will perform the I/O command). An emulated storage controller may facilitate I/O operations between a user VM and a vDisk. A vDisk may present to a user VM as one or more discrete storage drives, but each vDisk may correspond to any part of one or more drives within storage pool 156. Additionally or alternatively, CVMs 124, 126, 128 may present an emulated storage controller either to the hypervisor or to user VMs to facilitate I/O operations. CVMs 124, 126, and 128 may be connected to storage within storage pool 156. CVM 124 may have the ability to perform I/O operations using local storage 136 within the same host machine 102, by connecting via network 154 to cloud storage 108 or network-attached storage 110, or by connecting via network 154 to 138 or 140 within another host machine 204 or 206 (e.g., via connecting to another CVM 126 or 128). In particular embodiments, any computing system may be used to implement a host machine.

Examples described herein include virtualized file servers. A virtualized file server may be implemented using a cluster of virtualized software instances (e.g., a cluster of file server virtual machines). A virtualized file server (VFS) 160 is shown in FIG. 1A including a cluster of file server virtual machines. The file server virtual machines may additionally or instead be implemented using containers. In some examples, the VFS 160 provides file services to user VMs 112, 114, 116, 118, 120, and 122. The file services may include storing and retrieving data persistently, reliably, and/or efficiently in some examples. The user virtual machines may execute user processes, such as office applications or the like, on host machines 102, 104, and 106. The stored data may be represented as a set of storage items, such as files organized in a hierarchical structure of folders (also known as directories), which can contain files and other folders, and shares, which can also contain files and folders.

In particular embodiments, the VFS 160 may include a set of File Server Virtual Machines (FSVMs) 162, 164, and 166 that execute on host machines 102, 104, and 106. The set of file server virtual machines (FSVMs) may operate together to form a cluster. The FSVMs may process storage item access operations requested by user VMs executing on the host machines 102, 104, and 106. The FSVMs 162, 164, and 166 may communicate with storage controllers provided by CVMs 124, 132, 128 and/or hypervisors executing on the host machines 102, 104, 106 to store and retrieve files, folders, SMB shares, or other storage items. The FSVMs 162, 164, and 166 may store and retrieve block-level data on the host machines 102, 104, 106, e.g., on the local storage 136, 138, 140 of the host machines 102, 104, 106. The block-level data may include block-level representations of the storage items. The network protocol used for communication between user VMs, FSVMs, CVMs, and/or hypervisors via the network 154 may be Internet Small Computer Systems Interface (iSCSI), Server Message Block (SMB), Network File System (NFS), pNFS (Parallel NFS), or another appropriate protocol.

Generally, FSVMs may be utilized to receive and process requests in accordance with a file system protocol—e.g., NFS, SMB. In this manner, the cluster of FSVMs may provide a file system that may present files, folders, and/or a directory structure to users, where the files, folders, and/or directory structure may be distributed across a storage pool in one or more shares.

For the purposes of VFS 160, host machine 106 may be designated as a leader node within a cluster of host machines. In this case, FSVM 166 on host machine 106 may be designated to perform such operations. A leader may be responsible for monitoring or handling requests from FSVMs on other host machines throughout the virtualized environment. If FSVM 166 fails, a new leader may be designated for VFS 160.

In some examples, the user VMs may send data to the VFS 160 using write requests, and may receive data from it using read requests. The read and write requests, and their associated parameters, data, and results, may be sent between a user VM and one or more file server VMs (FSVMs) located on the same host machine as the user VM or on different host machines from the user VM. The read and write requests may be sent between host machines 102, 104, 106 via network 154, e.g., using a network communication protocol such as iSCSI, CIFS, SMB, TCP, IP, or the like. When a read or write request is sent between two VMs located on the same one of the host machines 102, 104, 106 (e.g., between the 112 and the FSVM 162 located on the host machine 102), the request may be sent using local communication within the host machine 102 instead of via the network 154. Such local communication may be faster than communication via the network 154 in some examples. The local communication may be performed by, e.g., writing to and reading from shared memory accessible by the user VM 112 and the FSVM 162, sending and receiving data via a local “loopback” network interface, local stream communication, or the like.

In some examples, the storage items stored by the VFS 160, such as files and folders, may be distributed amongst storage managed by multiple FSVMs 162, 164, 166. In some examples, when storage access requests are received from the user VMs, the VFS 160 identifies FSVMs 162, 164, 166 at which requested storage items, e.g., folders, files, or portions thereof, are stored or managed, and directs the user VMs to the locations of the storage items. The FSVMs 162, 164, 166 may maintain a storage map, such as a sharding map, that maps names or identifiers of storage items to their corresponding locations. The storage map may be a distributed data structure of which copies are maintained at each FSVM 162, 164, 166 and accessed using distributed locks or other storage item access operations. In some examples, the storage map may be maintained by an FSVM at a leader node such as the FSVM 166, and the other FSVMs 162 and 164 may send requests to query and update the storage map to the leader FSVM 166. Other implementations of the storage map are possible using appropriate techniques to provide asynchronous data access to a shared resource by multiple readers and writers. The storage map may map names or identifiers of storage items in the form of text strings or numeric identifiers, such as folder names, files names, and/or identifiers of portions of folders or files (e.g., numeric start offset positions and counts in bytes or other units) to locations of the files, folders, or portions thereof. Locations may be represented as names of FSVMs, e.g., “FSVM-1”, as network addresses of host machines on which FSVMs are located (e.g., “ip-addr1” or 128.1.1.10), or as other types of location identifiers.

When a user application, e.g., executing in a user VM 112 on host machine 102 initiates a storage access operation, such as reading or writing data, the user VM 112 may send the storage access operation in a request to one of the FSVMs 162, 164, 166 on one of the host machines 102, 104, 106. A FSVM 164 executing on a host machine 102 that receives a storage access request may use the storage map to determine whether the requested file or folder is located on and/or managed by the FSVM 164. If the requested file or folder is located on and/or managed by the FSVM 164, the FSVM 164 executes the requested storage access operation. Otherwise, the FSVM 164 responds to the request with an indication that the data is not on the FSVM 164, and may redirect the requesting user VM 112 to the FSVM on which the storage map indicates the file or folder is located. The client may cache the address of the FSVM on which the file or folder is located, so that it may send subsequent requests for the file or folder directly to that FSVM.

As an example and not by way of limitation, the location of a file or a folder may be pinned to a particular FSVM 162 by sending a file service operation that creates the file or folder to a CVM, container, and/or hypervisor associated with (e.g., located on the same host machine as) the FSVM 162—the CVM 124 in the example of FIG. 1A. The CVM, container, and/or hypervisor may subsequently processes file service commands for that file for the FSVM 162 and send corresponding storage access operations to storage devices associated with the file. In some examples, the FSVM may perform these functions itself. The CVM 124 may associate local storage 136 with the file if there is sufficient free space on local storage 136. Alternatively, the CVM 124 may associate a storage device located on another host machine 202, e.g., in local storage 138, with the file under certain conditions, e.g., if there is insufficient free space on the local storage 136, or if storage access operations between the CVM 124 and the file are expected to be infrequent. Files and folders, or portions thereof, may also be stored on other storage devices, such as the network-attached storage (NAS) network-attached storage 110 or the cloud storage 108 of the storage pool 156.

In particular embodiments, a name service 168, such as that specified by the Domain Name System (DNS) Internet protocol, may communicate with the host machines 102, 104, 106 via the network 154 and may store a database of domain names (e.g., host names) to IP address mappings. The domain names may correspond to FSVMs, e.g., fsvm1.domain.com or ip-addr1.domain.com for an FSVM named FSVM-1. The name service 168 may be queried by the user VMs to determine the IP address of a particular host machine 102, 104, 106 given a name of the host machine, e.g., to determine the IP address of the host name ip-addr1 for the host machine 102. The name service 168 may be located on a separate server computer system or on one or more of the host machines 102, 104, 106. The names and IP addresses of the host machines of the VFS 160, e.g., the host machines 102, 104, 106, may be stored in the name service 168 so that the user VMs may determine the IP address of each of the host machines 102, 104, 106, or FSVMs 162, 164, 166. The name of each VFS instance, e.g., FS1, FS2, or the like, may be stored in the name service 168 in association with a set of one or more names that contains the name(s) of the host machines 102, 104, 106 or FSVMs 162, 164, 166 of the VFS 160 instance. The FSVMs 162, 164, 166 may be associated with the host names ip-addr1, ip-addr2, and ip-addr3, respectively. For example, the file server instance name FS1.domain.com may be associated with the host names ip-addr1, ip-addr2, and ip-addr3 in the name service 168, so that a query of the name service 168 for the server instance name “FS1” or “FS1.domain.com” returns the names ip-addr1, ip-addr2, and ip-addr3. As another example, the file server instance name FS1.domain.com may be associated with the host names fsvm-1, fsvm-2, and fsvm-3. Further, the name service 168 may return the names in a different order for each name lookup request, e.g., using round-robin ordering, so that the sequence of names (or addresses) returned by the name service for a file server instance name is a different permutation for each query until all the permutations have been returned in response to requests, at which point the permutation cycle starts again, e.g., with the first permutation. In this way, storage access requests from user VMs may be balanced across the host machines, since the user VMs submit requests to the name service 168 for the address of the VFS instance for storage items for which the user VMs do not have a record or cache entry, as described below.

In particular embodiments, each FSVM may have two IP addresses: an external IP address and an internal IP address. The external IP addresses may be used by SMB/CIFS clients, such as user VMs, to connect to the FSVMs. The external IP addresses may be stored in the name service 168. The IP addresses ip-addr1, ip-addr2, and ip-addr3 described above are examples of external IP addresses. The internal IP addresses may be used for iSCSI communication to CVMs, e.g., between the FSVMs 162, 164, 166 and the CVMs 124, 132, 128. Other internal communications may be sent via the internal IP addresses as well, e.g., file server configuration information may be sent from the CVMs to the FSVMs using the internal IP addresses, and the CVMs may get file server statistics from the FSVMs via internal communication.

Since the VFS 160 is provided by a distributed cluster of FSVMs 162, 164, 166, the user VMs that access particular requested storage items, such as files or folders, do not necessarily know the locations of the requested storage items when the request is received. A distributed file system protocol, e.g., MICROSOFT DFS or the like, may therefore be used, in which a user VM 112 may request the addresses of FSVMs 162, 164, 166 from a name service 168 (e.g., DNS). The name service 168 may send one or more network addresses of FSVMs 162, 164, 166 to the user VM 112. The addresses may be sent in an order that changes for each subsequent request in some examples. These network addresses are not necessarily the addresses of the FSVM 164 on which the storage item requested by the user VM 112 is located, since the name service 168 does not necessarily have information about the mapping between storage items and FSVMs 162, 164, 166. Next, the user VM 112 may send an access request to one of the network addresses provided by the name service, e.g., the address of FSVM 164. The FSVM 164 may receive the access request and determine whether the storage item identified by the request is located on the FSVM 164. If so, the FSVM 164 may process the request and send the results to the requesting user VM 112. However, if the identified storage item is located on a different FSVM 166, then the FSVM 164 may redirect the user VM 112 to the FSVM 166 on which the requested storage item is located by sending a “redirect” response referencing FSVM 166 to the user VM 112. The user VM 112 may then send the access request to FSVM 166, which may perform the requested operation for the identified storage item.

A particular VFS 160, including the items it stores, e.g., files and folders, may be referred to herein as a VFS “instance” and may have an associated name, e.g., FS1, as described above. Although a VFS instance may have multiple FSVMs distributed across different host machines, with different files being stored on FSVMs, the VFS instance may present a single name space to its clients such as the user VMs. The single name space may include, for example, a set of named “shares” and each share may have an associated folder hierarchy in which files are stored. Storage items such as files and folders may have associated names and metadata such as permissions, access control information, size quota limits, file types, files sizes, and so on. As another example, the name space may be a single folder hierarchy, e.g., a single root directory that contains files and other folders. User VMs may access the data stored on a distributed VFS instance via storage access operations, such as operations to list folders and files in a specified folder, create a new file or folder, open an existing file for reading or writing, and read data from or write data to a file, as well as storage item manipulation operations to rename, delete, copy, or get details, such as metadata, of files or folders. Note that folders may also be referred to herein as “directories.”

In particular embodiments, storage items such as files and folders in a file server namespace may be accessed by clients, such as user VMs, by name, e.g., “\Folder-1\File-1” and “\Folder-2\File-2” for two different files named File-1 and File-2 in the folders Folder-1 and Folder-2, respectively (where Folder-1 and Folder-2 are sub-folders of the root folder). Names that identify files in the namespace using folder names and file names may be referred to as “path names.” Client systems may access the storage items stored on the VFS instance by specifying the file names or path names, e.g., the path name “\Folder-1\File-1”, in storage access operations. If the storage items are stored on a share (e.g., a shared drive), then the share name may be used to access the storage items, e.g., via the path name “\\Share-1\Folder-1\File-1” to access File-1 in folder Folder-1 on a share named Share-1.

In particular embodiments, although the VFS may store different folders, files, or portions thereof at different locations, e.g., on different FSVMs, the use of different FSVMs or other elements of storage pool 156 to store the folders and files may be hidden from the accessing clients. The share name is not necessarily a name of a location such as an FSVM or host machine. For example, the name Share-1 does not identify a particular FSVM on which storage items of the share are located. The share Share-1 may have portions of storage items stored on three host machines, but a user may simply access Share-1, e.g., by mapping Share-1 to a client computer, to gain access to the storage items on Share-1 as if they were located on the client computer. Names of storage items, such as file names and folder names, may similarly be location-independent. Thus, although storage items, such as files and their containing folders and shares, may be stored at different locations, such as different host machines, the files may be accessed in a location-transparent manner by clients (such as the user VMs). Thus, users at client systems need not specify or know the locations of each storage item being accessed. The VFS may automatically map the file names, folder names, or full path names to the locations at which the storage items are stored. As an example and not by way of limitation, a storage item's location may be specified by the name, address, or identity of the FSVM that provides access to the storage item on the host machine on which the storage item is located. A storage item such as a file may be divided into multiple parts that may be located on different FSVMs, in which case access requests for a particular portion of the file may be automatically mapped to the location of the portion of the file based on the portion of the file being accessed (e.g., the offset from the beginning of the file and the number of bytes being accessed).

In particular embodiments, VFS 160 determines the location, e.g., FSVM, at which to store a storage item when the storage item is created. For example, a FSVM 162 may attempt to create a file or folder using a CVM 124 on the same host machine 102 as the user VM 114 that requested creation of the file, so that the CVM 124 that controls access operations to the file folder is co-located with the user VM 114. While operations with a CVM are described herein, the operations could also or instead occur using a hypervisor and/or container in some examples. In this way, since the user VM 114 is known to be associated with the file or folder and is thus likely to access the file again, e.g., in the near future or on behalf of the same user, access operations may use local communication or short-distance communication to improve performance, e.g., by reducing access times or increasing access throughput. If there is a local CVM on the same host machine as the FSVM, the FSVM may identify it and use it by default. If there is no local CVM on the same host machine as the FSVM, a delay may be incurred for communication between the FSVM and a CVM on a different host machine. Further, the VFS 160 may also attempt to store the file on a storage device that is local to the CVM being used to create the file, such as local storage, so that storage access operations between the CVM and local storage may use local or short-distance communication.

In some examples, if a CVM is unable to store the storage item in local storage of a host machine on which an FSVM resides, e.g., because local storage does not have sufficient available free space, then the file may be stored in local storage of a different host machine. In this case, the stored file is not physically local to the host machine, but storage access operations for the file are performed by the locally-associated CVM and FSVM, and the CVM may communicate with local storage on the remote host machine using a network file sharing protocol, e.g., iSCSI, SAMBA, or the like.

In some examples, if a virtual machine, such as a user VM 112, CVM 124, or FSVM 162, moves from a host machine 102 to a destination host machine 104, e.g., because of resource availability changes, and data items such as files or folders associated with the VM are not locally accessible on the destination host machine 104, then data migration may be performed for the data items associated with the moved VM to migrate them to the new host machine 104, so that they are local to the moved VM on the new host machine 104. FSVMs may detect removal and addition of CVMs (as may occur, for example, when a CVM fails or is shut down) via the iSCSI protocol or other technique, such as heartbeat messages. As another example, a FSVM may determine that a particular file's location is to be changed, e.g., because a disk on which the file is stored is becoming full, because changing the file's location is likely to reduce network communication delays and therefore improve performance, or for other reasons. Upon determining that a file is to be moved, VFS 160 may change the location of the file by, for example, copying the file from its existing location(s), such as local storage 136 of a host machine 102, to its new location(s), such as local storage 138 of host machine 104 (and to or from other host machines, such as local storage 140 of host machine 106 if appropriate), and deleting the file from its existing location(s). Write operations on the file may be blocked or queued while the file is being copied, so that the copy is consistent. The VFS 160 may also redirect storage access requests for the file from an FSVM at the file's existing location to a FSVM at the file's new location.

In particular embodiments, VFS 160 includes at least three File Server Virtual Machines (FSVMs) 162, 164, 166 located on three respective host machines 102, 104, 106. To provide high-availability, in some examples, there may be a maximum of one FSVM for a particular VFS instance VFS 160 per host machine in a cluster. If two FSVMs are detected on a single host machine, then one of the FSVMs may be moved to another host machine automatically in some examples, or the user (e.g., system administrator) may be notified to move the FSVM to another host machine. The user may move a FSVM to another host machine using an administrative interface that provides commands for starting, stopping, and moving FSVMs between host machines.

In some examples, two FSVMs of different VFS instances may reside on the same host machine. If the host machine fails, the FSVMs on the host machine become unavailable, at least until the host machine recovers. Thus, if there is at most one FSVM for each VFS instance on each host machine, then at most one of the FSVMs may be lost per VFS per failed host machine. As an example, if more than one FSVM for a particular VFS instance were to reside on a host machine, and the VFS instance includes three host machines and three FSVMs, then loss of one host machine would result in loss of two-thirds of the FSVMs for the VFS instance, which may be more disruptive and more difficult to recover from than loss of one-third of the FSVMs for the VFS instance.

In some examples, users, such as system administrators or other users of the system and/or user VMs, may expand the cluster of FSVMs by adding additional FSVMs. Each FSVM may be associated with at least one network address, such as an IP (Internet Protocol) address of the host machine on which the FSVM resides. There may be multiple clusters, and all FSVMs of a particular VFS instance are ordinarily in the same cluster. The VFS instance may be a member of a MICROSOFT ACTIVE DIRECTORY domain, which may provide authentication and other services such as name service.

In some examples, files hosted by a virtualized file server, such as the VFS 160, may be provided in shares—e.g., SMB shares and/or NFS exports. SMB shares may be distributed shares (e.g., home shares) and/or standard shares (e.g., general shares). NFS exports may be distributed exports (e.g., sharded exports) and/or standard exports (e.g., non-sharded exports). A standard share may in some examples be an SMB share and/or an NFS export hosted by a single FSVM (e.g., FSVM 162, FSVM 164, and/or FSVM 166 of FIG. 1A). The standard share may be stored, e.g., in the storage pool in one or more volume groups and/or vDisks and may be hosted (e.g., accessed and/or managed) by the single FSVM. The standard share may correspond to a particular folder (e.g., \\enterprise\finance may be hosted on one FSVM, \\enterprise\hr on another FSVM). In some examples, distributed shares may be used which may distribute hosting of a top-level directory (e.g., a folder) across multiple FSVMs. So, for example, \\enterprise\users\ann and \\enterprise\users\bob may be hosted at a first FSVM, while \\enterprise\users\chris and \\enterprise\users\dan are hosted at a second FSVM. In this manner a top-level directory (e.g., \\enterprise\users) may be hosted across multiple FSVMs. This may also be referred to as a sharded or distributed share (e.g., a sharded SMB share). As discussed, a distributed file system protocol, e.g., MICROSOFT DFS or the like, may be used, in which a user VM may request the addresses of FSVMs 162, 164, 166 from a name service (e.g., DNS).

Accordingly, systems described herein may include one or more virtual file servers, where each virtual file server may include a cluster of file server VMs and/or containers operating together to provide a file system. Examples of systems described herein may include a file analytics system that may collect, monitor, store, analyze, and report on various analytics associates with the virtual file server(s). By providing a file analytics system, system administrators may advantageously find it easier to manage their files stored in a distributed file system, and may more easily gain, understand, protect and utilize insights about the stored data and/or the usage of the file system over time. Examples of file analytics systems are described using an analytics virtual machine (an analytics VM), however, it is to be understood that the analytics VM may be implemented in various examples using one or more virtual machines and/or one or more containers. The analytics VM may be hosted on one of the computing nodes of the virtualized file server 160, or may be hosted on a computing node external to the virtualized file server 160.

The analytics VM 170 may retrieve, organize, aggregate, and/or analyze information corresponding to a file system. The information may be stored in an analytics datastore. The analytics VM 170 may query or monitor the analytics datastore to provide information to an administrator in the form of display interfaces, reports, and alerts/notifications. As shown in FIG. 1A, the analytics VM 170 may be hosted on the computing node (host machine) 102. Without departing from the scope of the disclosure, the analytics VM 170 may be hosted on any computing node, including the computing nodes 104 or 106, or a node external to the virtualized file server. In some examples, the analytics VM 170 may be provided as a hosted analytics system on a computing system and/or platform in communication with the VFS 160. For example, the analytics VM 170 may be provided as a hosted analytics system in the cloud—e.g., provided on one or more cloud computing platforms.

In some examples, the analytics VM 170 may perform various functions that are split into different containerized components using a container architecture and container manager. For example, the analytics VM 170 may include three containers—(1) a message bus (e.g., Kafka server), (2) an analytics data engine (e.g., Elastic Search), and (3) an API server, which may host various processes. During operation, the analytics VM 170 may perform multiple functions related to information collection, including a metadata collection process to receive metadata associated with the file system, a configuration information collection process to receive configuration and user information from the VFS 160, and an event data collection process to receive event data from the VFS 160.

The metadata collection process may include gathering the overall size, structure, and storage locations of parts of the file system managed by the VFS 160, as well as details for each data item (e.g., file, folder, directory, share, etc.) in the VFS 160. In some examples, the analytics VM 170 may mount one or more of the snapshots 171, 173, 175 of the VFS 160 to scan the file system to retrieve metadata of the file system managed by the VFS 160. Each snapshot may represent a state of the file system managed by the VFS 160 at a point in time. The analytics VM 170 may use the information gathered from the one or more snapshots to develop a comprehensive picture of the file system managed by the VFS 160 at a point in time, as well as to derive events by comparing successive snapshots.

In some examples, the snapshots may be provided by a disaster recovery application of the VFS 160. For example, the FSVM 162 may generate FSVM1 snapshots 171, the FSVM 164 may generate FSVM2 snapshots 173, and the FSVM 166 may generate FSVM3 snapshots 175. While an example of the FSVM generating the snapshots is provided, the snapshots may be generated by other processes in other examples (e.g., a disaster recovery process, a management process, or other component running on or in communication with the VFS 160).

In some examples, the analytics VM 170 may mount one or more of the snapshots 171, 173, 175 of the VFS 160 to obtain metadata of the file system managed by the VFS 160. In some examples, the analytics VM 170 may communicate directly with each of the FSVMs 162, 164, 166 of the VFS 160 during the metadata collection process to retrieve respective portions of the metadata from the snapshots. In some examples, the metadata collection processes performed by the analytics VM 170 may include a multi-threaded breadth-first search (BFS) that involves performing parallel threaded file system scanning. The parallel threaded file system scanning may include parallel scanning of different shares, parallel scanning of different folders of a common share, or any combination thereof. In some examples, the metadata collection process may implement a parallel BFS with level order traversal of a directory tree to collect metadata. Level order traversal may include processing a directory tree one level at a time. For example, starting with a top-level directory, a first level of a directory tree is processed before moving onto a next level a next level of the directory tree. The level order traversal includes a current queue, which includes each item in the level of the directory tree currently being processed, and a next queue, which includes children of the level of the directory tree currently being processed. When processing of the current queue is completed, the current queue may be loaded with the next queue entries. By performing level order traversal, a size of the two queues may be more manageable, as compared with a system where every item from a directory tree being loaded into a single queue. The parallel BFS may include starting a thread on each level, and letting processing of all the data items on that level get complete in the current queue before making a move to the next or child queue.

In some examples, during the metadata scan, the VFS 160, the analytics VM 170, or another service, process, or application hosted or running on one or more of the computing nodes 102, 104, 106 may add a checkpoint or marker (e.g., index) after every completed metadata transaction (e.g., after completing a scan of a level of a directory tree or a scan of a share) to indicate where it left off. In some examples, when processing of the current queue is complete, the current queue may be stored as the checkpoint before loading the next queue into the current queue. The checkpoint may allow the analytics VM 170 to return to the checkpoint to resume the scan should the scan be interrupted for some reason. Without the checkpoint, the metadata scan may start anew, creating duplicate metadata records in the events log that need to be resolved.

In some examples, the analytics VM 170 may make an initial snapshot scan of the VFS 160 to obtain initial metadata concerning the file system (e.g., number of files, directories, file names, file sizes, file owner ID and/or name, file permissions (e.g., access control lists, etc.) using the FSVM1-3 snapshots 171, 173, 175. The analytics tool 170 may provide an API call (e.g., SMB ACL call) to the VFS 160 to retrieve owner usernames and/or ACL permission information based on the owner identifier and the ACL identifier.

Subsequent metadata may be obtained by mounting snapshots periodically and extracting metadata from the snapshots. By using snapshots to collect metadata, the analytics VM 170 may avoid or reduce the instances of scanning the file system itself during file system operation, which may in some examples slow or otherwise interfere with file system operation.

For disaster recovery, the FSVMs 162, 164, and 166 or another component (e.g., application, process, and/or service) of the VFS 160 or another component of the distributed computing system or in communication with the distributed computing system 100 (e.g., a computing node, an administrative system, a storage controller, the CVMs 124, 132, 128, the hypervisors 130, 132, 134, etc.) may periodically generate new, updated FSVM1-3 snapshots 171, 173, 175, respectively, of the file system to aid in disaster recovery over time. In some examples, in addition to use of individual ones of the FSVM1-3 snapshots 171, 173, and 175 to determine a state of the file system at a point in time, the analytics VM 170 may compare different versions of the FSVM1-3 snapshots 171, 173, 175 to detect metadata differences, and then may use those detected metadata differences to derive event data. For example, if the metadata of a first snapshot of the FSVM1 snapshots 171 indicates that a particular share has a first size and the metadata of a second snapshot of the FSVM1 snapshots 171 indicates that the particular share has a second size, the analytics VM 170 may generate an event that the size of the particular file was changed from the first size to the second size. Other types of events may be derived by the analytics VM 170 if a metadata comparison between two snapshots reveals that a file/folder/share/directory/etc. is added, removed, moved, or some other change has taken place.

In some examples, the shares of the file system managed by the VFS 160 may be sharded (e.g., distributed across multiple FSVMs 162, 164, 166), which may impact capturing of a complete set of metadata for the file system. FIG. 1B illustrates an example hierarchical structure 101 of a portion of the VFS 160 according to particular embodiments. Portions of a share 191 of the VFS 160 may be distributed or sharded across the FSVM 162 and the FSVM 164. As shown, the FSVM 161 may manage a first directory (e.g., a folder-1 192 and a file-1 193) and a second directory (e.g., a folder-2 194, a folder-3 195, and a file-2 196) of the share 191. The FSVM 162 may manage a third directory (e.g., a folder-4 197 and a file-3 198) of the share 191. Thus, when the FSVM1 snapshot 171 is generated, it may not include the metadata details for the third branch structure managed by the FSVM 164. Similarly, when the FSVM2 snapshot 173 is generated, it may not include the metadata details for the first and second directories managed by the FSVM 162. In some examples, the FSVM1 snapshot 171 may include a pointer or some other indicator (e.g., a FSVM identifier) of the presence of the third directory branch structure managed by the FSVM 164. Similarly, the FSVM2 snapshot 173 may include a pointer or some other indicator (e.g., a FSVM identifier) of the presence of the first and second directories managed by the FSVM 162.

Thus, as part of the metadata collection process, a distributed file protocol, e.g., DFS, may be used to obtain a collection of FSVM identifiers (e.g., IP addresses) to be mounted to access the full share 191. However, in some examples, the analytics VM 170 may be implemented using a Linux client or other client that may not support DFS referrals or other distributed file protocol to obtain identification of which FSVMs host which files (e.g., which shares). Typically, files may be sharded across multiple FSVMs based on their top-level directory (e.g., an initial folder such as \\enterprise\hr in the file system may include files and/or lower level folders stored across multiple FSVMs).

Accordingly, if the FSVM1 snapshot 171 for a portion of a share hosted by the FSVM 162 is mounted, the analytics VM 170 may identify all folders (e.g., top-level directories), but not all data for the share may be available via the FSVM1 snapshot 171. Rather, some of the data may be hosted on other FSVMs 164 or 166, and stored in the FSVM2 snapshots 173 or the FSVM3 snapshots 175. In some examples, the analytics VM 170 may map top-level directories to the FSVM 162, 164, and/or 166 using the snapshots 171, 173, 175, and then may use that information to traverse those directories. So, for example, the analytics VM 170 may identify that the FSVM 162 and the FSVM 164 may host a particular top-level directory (e.g., share 191 of FIG. 1B) when scanning the FSVM1 snapshot 171 or the FSVM2 snapshot 173. In order to scan all of the metadata for that top-level directory, the other of the FSVM1 snapshot 171 or the FSVM2 snapshot 173 may be accessed and scanned to retrieve the rest of the data. In this manner, all data in the top-level directory (e.g., across a distributed SMB share) may be scanned by the analytics VM 170, even without use of a DFS Referral. The metadata retrieved during the metadata collection process may be used to present information about the VFS 160 to a user via a user interface or via a report. The metadata may also be used to analyze event data, and to present recommendations to an administrator. For example, the analytics VM 170 may compare access history for a share with an ACL assigned to the share to recommend a change in the ACL based on the access history.

To capture configuration information, the analytics VM 170 may use an application programming interface (API) architecture to request the configuration information from the VFS 160. The API architecture may include representation state transfer (REST) API architecture. The configuration information may include user information, a number of shares, deleted shares, created shares, etc. In some examples, the analytics VM 170 may communicate directly with the leader FSVM of the FSVMs 162, 164, 166 of the VFS 160 to collect the configuration information. In some examples, the analytics VM 170 may communicate directly with another component (e.g., application, process, and/or service) of the VFS 160 or another component of the distributed computing system or in communication with the distributed computing system 100 (e.g., a computing node, an administrative system, a storage controller, the CVMs 124, 132, 128, the hypervisors 130, 132, 134, etc.) to collect the configuration information.

To capture event data, the analytics VM 170 may interface with the VFS 160 using a messaging system (e.g., publisher/subscriber message system) to receive event data for storage in the analytics datastore. That is, the analytics VM 170 may subscribe to one or more message topics related to activity of the VFS 160. The VFS 160 may include an audit framework with a connector publisher that is configured to publish the event data for consumption by the analytics VM 170. The CVMs 124, 126, 128 (and/or hypervisors or other containers) may host a message service configured to route messages between publishers and subscribers/consumers over a message bus. The event data may include data related to various operations performed with the VFS 160, such as adding, deleting, moving, modifying, etc., a file, folder, directory, share, etc., within the VFS 160. The event information may indicate an event type (e.g., add, move, delete, modify, a user associated with the event, an event time, etc. In some examples, once an event is written to the analytics datastore, it is not able to be modified. In some examples, the analytics VM 170 may be configured to aggregate multiple events into a single event for storage in the analytics datastore 190. For example, if a known task (e.g., moving a file) results in generation of a predictable sequence of events, the analytics VM 170 may aggregate that sequence into a single event.

In some examples, the analytics VM 170 and/or the corresponding VFS 160 may include protections to prevent event data from being lost. In some examples, the VFS 160 may store event data until it is consumed by the analytics VM 170. For example, if the analytics VM 170 (e.g., or the message system) becomes unavailable, the VFS 160 may persistently store the event data until the analytics VM 170 (e.g., or the message system) becomes available.

To support the persistent storage, and well as provision of the event data to the analytics VM 170, the FSVMs 162, 164, 166 of the VFS 160 may each include the audit framework that includes a dedicated event log (e.g., tied to a FSVM-specific volume group) that is capable of being scaled to store all event data and/or metadata for a particular FSVM until successfully sent to the analytics VM 170. In some examples, the audit framework for each FSVM 162, 164, 166 may be hosted by another component (e.g., application, process, and/or service) of the VFS 160 or another component of the distributed computing system or in communication with the distributed computing system 100 (e.g., a computing node, an administrative system, a storage controller, the CVMs 124, 132, 128, the hypervisors 130, 132, 134, etc.) The audit framework may include an audit queue, an event logger, an event log, and a service connector. The audit queue may be configured to receive event data and/or metadata from the VFS 160 via network file server or server message block server communications, and to provide the event data and/or metadata to the event logger. The event logger may be configured to store the received event data and/or metadata from the audit queue, as well as retrieve requested event data and/or metadata from the event log in response to a request from the service connector. The service connector may be configured to communicate with other services (e.g., such as a message topic broker of the analytics VM 170) to respond to requests for provision of event data and/or metadata, as well as receive acknowledgments when event data and/or metadata are successfully received by the analytics VM 170. The events in the event log may be uniquely identified by a monotonically increasing sequence number, will be persisted to an event log and will be read from it when requested by the service connector.

The event logger may coordinate all of the event data and/or metadata writes and reads to and from the event log, which may facilitate the use of the event log for multiple services. The event logger may keep the in-memory state of the write index in the event log, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

Multiple services may be able to read from event log via their own service connectors (e.g., Kafka connectors). A service connector may have the responsibility of sending event data and metadata to the requesting service (e.g., such as the message topic broker of the analytics VM 170) reliably, keeping track of its state, and reacting to its failure and recovery. Each service connector may be tasked with persisting its respective read index, as well as being able to communicate the respective read index to the event logger when initiating an event read. The service connector may increment the in-memory read index only after receiving acknowledgement from its corresponding service and will periodically persist in-memory state. The persisted read index value may be read at start/restart (e.g., or after a service interruption) and used to set the in-memory read index to a value from which to start reading from.

During service start/recovery, service connector may detect its presence and initiate an event read by communicating the read index to the event logger to read from the event log as part of the read call. The event logger may use the read index to find the next event to read and send to the requesting service (e.g., message topic broker of the analytics VM 170) via the service connector.

The analytics VM 170 and/or the VFS 160 may further include architecture to prevent event data from being processed out of chronological order. For example, the service connector and/or the requesting service may keep track of message sequence number it has seen before failure, and may ignore any messages which have sequence number less than and equal to the sequence it has seen before failure. An exception may be raised by the message topic broker of the requesting service if the event log does not have the event for the sequence number expected by the service connector or if the message topic broker indicates that it has received a message with a sequence number that is not consecutive. In order to use the same event log for other services, a superset of all the proto fields will be taken to create a common format for event record. The service connector will be responsible for filtering the required fields to get the ones it needs.

As previously discussed, the audit framework and event log may be tied to a particular FSVM in its own volume group. Thus, if a FSVM is migrated to another computing node, the event log may move with the FSVM and be maintained in the separate volume group from event logs of other FSVMs.

In some examples, the VFS 160 may be configured with denylist policies to denylist or prevent certain types of events from being analyzed and/or sent to the analytics VM 170, such as specific event types, events corresponding to a particular user, events corresponding to a particular client IP address, events related to certain file types, or any combination thereof. The denylisted events may be provided from the VFS 160 to the analytics VM 170 in response to an API call from the analytics VM 170. In addition, the analytics VM 170 may include an interface that allows a user to request and/or update the denylist policy, and send the updated denylist policy to the VFS 160. In some examples, the analytics VM 170 may be configured to process multiple channels of event data in parallel, while maintaining integrity and sequencing of the event data such that older event data does not overwrite newer event data.

In some examples, the analytics VM 170 may perform the metadata collection process in parallel with receipt of event data via the messaging system. The analytics VM 170 may reconcile information captured via the metadata collection process with event data information to prevent older data from overwriting newer data. In cases of reconciliation of the file system state caused by triggering an on demand scan, the state of the files index may be updated by both the event flow process and the scan process. To avoid the race condition, and maintain data integrity, when a metadata record corresponding to a storage item is received, the events processor may determine if any records for the storage item exist, and if so, may decline to update those records. If no records exist, then the events processor may add a record for the storage item.

The analytics VM 170 may process the metadata, the event data, and the configuration information to populate the analytics datastore 190. The analytics datastore 190 may include an entry for each item in the VFS 160. In some examples, the event data and the metadata may include a unique user identifier that ties back to a user, but is not used outside of the event data generation. In some examples, the analytics VM 170 may retrieve a user ID-to-username relationship from an active directory of the VFS 160 by connecting to a lightweight directory access protocol (LDAP) (e.g., for SMB, perform LDAP search on configured active directory, or on NFS, perform PDAP search on configured active directory or execute an API call if RFC2307 is not configured). In addition, rather than requesting a username or other identifier associated with the unique user identifier for every event, the analytics VM 170 may maintain a username-to-unique user identifier conversion table (e.g., stored in cache) for at least some of the unique user identifiers, and the username-to-unique user identifier conversion table may be used to retrieve a username, which may reduce traffic and improve performance of the VFS 160. Any to provide user context for active directory enabled SMB shares may help an administrator understand which user performed which operation as well as ownership of the file.

The analytics VM 170 may generate reports, including standard or default reports and/or customizable reports. The reports may be related to aggregate and/or specific user activity; aggregate file system activity; specific file, directory, share, etc., activity; etc.; or any combination of thereof. If multiple report requests are submitted at a same time and/or during at least partially overlapping times, examples of the analytics VM may queue report requests and process the requests sequentially and/or partially sequentially. The status of report requests in the queue may be displayed (e.g., queued, processing, completed, etc.). In some examples, the analytics VM 170 may manage and facilitate administrator-set archival policies, such as time-based archival (e.g., archive data based on a last-accessed data being greater than a threshold), storage capacity-based archival (e.g., archiving certain data when available storage falls below a threshold), or any combination thereof.

In some examples, the analytics VM 170 may be configured to analyze the received event data to detect irregular, anomalous, and/or malicious activity within the file system. For example, the analytics VM 170 may detect malicious software activity (e.g., ransomware) or anomalous user activity (e.g., deleting a large amount of files, deleting a large share, etc.).

In some examples, in order to obtain metadata and/or events data regarding the file server, the analytics VM 170 may mount one or more shares managed by the VFS 160 and/or snapshots of shares managed by the VFS 160. Recall that in some examples shares may be sharded (e.g., distributed across multiple FSVMs). A distributed file protocol, e.g., DFS, may be used to obtain a collection of FSVM IDs (e.g., IP addresses) to be mounted to access the full share. However, in some examples, the analytics VM 170 may be implemented using a Linux client or other client that may not support DFS referrals or other distributed file protocol to obtain identification of which FSVMs host which files (e.g., which shares). Typically, files may be sharded across multiple FSVMs based on their top-level directory (e.g., an initial folder such as \\enterprise\hr in the file system may include files and/or lower level folders stored across multiple FSVMs).

Accordingly, if a snapshot 175 of a share hosted by FSVM 166 is mounted, the analytics VM 170 may identify all folders (e.g., top-level directories), but not all data may be seen as some of the data may be hosted on other FSVMs. In some examples, the analytics VM 170 may identify top-level directories are on which FSVMs and traverse those directories. So, for example, the analytics VM 170 may identify that FSVM 166 and FSVM 164 may host a particular top-level directory, and in order to scan metadata for that top-level directory, snapshots for both FSVMs may be accessed and scanned. In this manner, all data in the top-level directory (e.g., across a distributed SMB share) may be scanned by the analytics VM 170, even without use of a DFS Referral.

FIG. 2A illustrates a clustered virtualization environment 200 implementing a virtualized file server (VFS) 260 and an analytics VM 270 according to particular embodiments according to particular embodiments. The analytics VM 270 may retrieve, organize, aggregate, and/or analyze information corresponding to the VFS 260 in an analytics datastore. The VFS 160 and/or the analytics VM 170 of FIG. 1A may be used to implement the VFS 260 and/or the analytics VM 270, respectively. The architecture of FIG. 2 can be implemented using a distributed platform that contains a cluster 201 of multiple host machines 202, 204, and 206 that manage a storage pool, which may include multiple tiers of storage. While the analytics VM 270 is shown as part of the clustered virtualization environment 200, in some examples the analytics VM 270 may be provided as a hosted cloud solution, e.g., provided by one or more cloud computing platforms and in communication with the clustered virtualization environment 200, e.g., with the VFS 260.

Each host machine 202, 204, 206 may run virtualization software which may create, manage, and destroy user VMs and/or containers, as well as managing the interactions between the underlying hardware and user VMs.

In particular embodiments, the VFS 260 provides file services to user VMs, such as storing and retrieving data persistently, reliably, and efficiently. The VFS 260 may include a set of FSVMs 262, 264, and 266 that execute on host machines 202, 204, and 206 and process storage item access operations requested by user VMs.

The analytics VM 270 may include an application layer 274 and an analytics platform 290. The application layer 274 may include components such an events processor 280, an alert and notification component 281, a visualization component 282, a policy management layer 283, an API layer 284, a machine learning service 285, a query layer 286, a security layer 287, a monitoring service 288, and an integration layer 289. Each layer may be implemented using software which may perform the described functions and may interact with other layers.

In some examples, the analytics platform 290, leveraging components of the application layer 274 may perform various functions that are split into different containerized components using a container architecture and container manager (e.g., an analytics datastore 292, a data ingestion engine 294, and a data collection framework 296). The integration layer 289 may integrate various components of the application layer 274 with components of the analytics platform 290.

During operation, the analytics VM 270 may perform multiple processes related to information collection, including a metadata collection process to receive metadata associated with the file system, a configuration information collection process to receive configuration and user information from the VFS 260, and an event data collection process to receive event data from the VFS 260. The data collection framework 296 may manage the metadata collection process and the configuration information collection process and the data ingestion engine 294 may manage capturing the event data.

The metadata collection process may include gathering the overall size, structure, and storage locations of parts of the file system managed by the VFS 260, as well as details for each data item (e.g., file, folder, directory, share, owner information, permission information, etc.) in the VFS 260. As part of the metadata collection process, the analytics VM 270 may mount one or more of the snapshots of the VFS 260 to retrieve metadata of the file system managed by the VFS 260. Each snapshot may represent a state of the file system managed by the VFS 260 at a point in time. The analytics VM 270 may use the information from the one or more snapshots to develop a comprehensive picture of the file system managed by the VFS 260 at a point in time. The analytics VM 270 may additionally or instead derive events by comparing successive snapshots. In some examples, the snapshots may be provided by a disaster recovery application of the VFS 260. For example, the FSVM 262 may generate FSVM1 snapshots, the FSVM 264 may generate FSVM2 snapshots, and the FSVM 266 may generate FSVM3 snapshots 275. While an example of the FSVM generating the snapshots is provided, the snapshots may be generated by other processes in other examples (e.g., a disaster recovery process, a management process, or other component running on or in communication with the VFS 260).

In some examples, the snapshots may be differential snapshots, in that the snapshots may only indicate files, directories, or other aspects of a share or of the file system that had changed since the last snapshot. Accordingly, in some examples, the analytics VM 270 may access the snapshot to determine which files, directories, shares, or other items had changed since a previous snapshot, and may access and obtain metadata from those updated items on the file server. This may reduce or eliminate a need to access and obtain metadata from all items on the file server at regular intervals. Instead, only changed items may be accessed to obtain updated metadata in some examples.

In some examples, the analytics VM 270 may mount one or more of the snapshots of the VFS 260 to retrieve metadata of the file system managed by the VFS 260. In some examples, the analytics VM 270 may communicate directly with each of the FSVMs 262, 264, 266 of the VFS 260 during the metadata collection process to retrieve respective portions of the metadata from the snapshots. In some examples, the metadata collection processes performed by the analytics VM 270 may include a multi-threaded breadth-first search (BFS) that involves performing parallel threaded file system scanning. The parallel threaded file system scanning may include parallel scanning of different shares, parallel scanning of different folders of a common share, or any combination thereof. In some examples, the metadata collection process may implement a parallel BFS with level order traversal of a directory tree to collect metadata. Level order traversal may include processing a directory tree one level at a time. For example, starting with a top-level directory, a first level of a directory tree is processed before moving onto a next level a next level of the directory tree. The level order traversal includes a current queue, which includes each item in the level of the directory tree currently being processed, and a next queue, which includes children of the level of the directory tree currently being processed. When processing of the current queue is completed, the current queue may be loaded with the next queue entries. By performing level order traversal, a size of the two queues may be more manageable, as compared with a system where every item from a directory tree being loaded into a single queue. The parallel BFS may include starting a thread on each level, and letting processing of all the data items on that level get complete in the current queue before making a move to the next or child queue.

In some examples, during the metadata scan, the VFS 260, the analytics VM 270, or another service, process, or application hosted or running on one or more of the computing nodes 202, 204, 206, or in communication with the distributed system, may add a checkpoint or marker (e.g., index) after every completed metadata transaction to indicate where it left off In some examples, when processing of the current queue is complete, the current queue may be stored as the checkpoint before loading the next queue into the current queue. The checkpoint may allow the analytics VM 270 to return to the checkpoint to resume the scan should the scan be interrupted for some reason. Without the checkpoint, the metadata scan may start anew, creating duplicate metadata records in the events log that need to be resolved.

In some examples, the analytics VM 270 may make an initial snapshot scan of the VFS 260 to obtain initial metadata concerning the file system (e.g., number of files, directories, file names, file sizes, file owner ID and/or name, file permissions (e.g., access control lists, etc.)) using the FSVM1-3 snapshots. The analytics tool 270 may provide an API call (e.g., SMB ACL call) to the VFS 260 to retrieve owner usernames and/or ACL permission information based on the owner identifier and the ACL identifier.

For disaster recovery, the FSVMs 262, 264, and 266 or another component (e.g., application, process, and/or service) of or in communication with the VFS 260 or another component of the clustered virtualization environment or in communication with the clustered virtualization environment 200 (e.g., computing node, administrative system, storage controller, CVMs, hypervisors, etc.) may periodically generate new, updated FSVM1-3 snapshots, respectively, of the file system to aid in disaster recovery over time. In some examples, in addition to use of individual ones of the FSVM1-3 snapshots to determine a state of the file system at a point in time, the analytics VM 270 may compare different versions of the FSVM1-3 snapshots to detect metadata differences, and then may use those detected metadata differences to derive event data. For example, if the metadata of a first snapshot of the FSVM1 snapshots indicates that a particular share has a first size and the metadata of a second snapshot of the FSVM1 snapshots indicates that the particular share has a second size, the analytics VM 270 may generate an event that the size of the particular file was changed from the first size to the second size. Other types of events may be derived by the analytics VM 270 if a metadata comparison between two snapshots reveals that a file/folder/share/directory/etc. is added, removed, moved, or some other change has taken place.

In some examples, the shares of the file system managed by the VFS 260 may be sharded (e.g., distributed across multiple FSVMs 262, 264, 266), which may impact capturing of a complete set of metadata for the file system. Thus, as part of the metadata collection process, a distributed file protocol, e.g., DFS, may be used to obtain a collection of FSVM IDs (e.g., IP addresses) to be mounted to access a full share. However, in some examples, the analytics tool may be implemented using a Linux client or other client that may not support DFS referrals or other distributed file protocol to obtain identification of which FSVMs host which files (e.g., which shares). Typically, files may be sharded across multiple FSVMs based on their top-level directory (e.g., an initial folder such as \\enterprise\hr in the file system may include files and/or lower level folders stored across multiple FSVMs).

Accordingly, if a FSVM1 snapshot for a portion of a share hosted by the FSVM 266 is mounted, the analytics VM 270 may identify all folders (e.g., top-level directories), but not all data for the share may be available via the FSVM1 snapshot. Rather, some of the data may be hosted on other FSVMs 264 or 266, and stored in the FSVM2 snapshots or the FSVM3 snapshots. In some examples, the analytics VM 270 may map top-level directories to the FSVM 262, 264, 266 using the snapshots, and then may use that information to traverse those directories. So, for example, the analytics VM 270 may identify that the FSVM 264 and the FSVM 266 may host a particular top-level directory when scanning the FSVM2 snapshot or the FSVM3 snapshot. In order to scan all of the metadata for that top-level directory, the other of the FSVM2 snapshot or the FSVM3 snapshot may be accessed and scanned to retrieve the rest of the data. In this manner, all data in the top-level directory (e.g., across a distributed SMB share) may be scanned by the analytics VM 270, even without use of a DFS Referral. The metadata retrieved during the metadata collection process may be used to present information about the VFS 260 to a user via a user interface or via a report. The metadata may also be used to analyze event data, and to present recommendations to an administrator. For example, the analytics VM 270 may compare access history for a share with an ACL assigned to the share to recommend a change in the ACL based on the access history.

To capture configuration information, the analytics VM 270 via the data collection framework 296 and the API layer 284 may use an application programming interface (API) architecture to request the configuration information from the VFS 260. The API architecture may include representation state transfer (REST) API architecture. The configuration information may include user information, a number of shares, deleted shares, created shares, etc. In some examples, the analytics VM 270 may communicate directly with a leader FSVM of the FSVMs 262, 264, 266 of the VFS 260 to collect the configuration information. In some examples, the analytics VM 270 may communicate directly with another component (e.g., application, process, and/or service) of the VFS 260 or another component of the clustered virtualization environment or in communication with the clustered virtualization environment 200 (e.g., a computing node, an administrative system, virtualization manager, storage controller, CVMs, hypervisors, etc.) to collect the configuration information.

To capture event data (e.g., audit events), the analytics VM 270 via the data ingestion engine 294 may interface with the VFS 260 using a messaging system (e.g., publisher/subscriber message system) to receive event data via a message bus for storage in the analytics datastore 292. That is, the data ingestion engine 294 may subscribe to one or more message topics related to activity of the VFS 260, and the monitoring service 288 may monitor the message bus for audit events published by the VFS 260. The VFS 260 may include a connector publisher that is configured to publish the event data for consumption by the data collection framework 296. The event data may include data related to various operations performed with the VFS 260, such as adding, deleting, moving, modifying, etc., a file, folder, directory, share, etc., within the VFS 260. The event information may indicate an event type (e.g., add, move, delete, modify, a user associated with the event, an event time, etc. The events processor 280 may process the received data to create a record to be placed in the analytics datastore 292. In some examples, once an event is written to the analytics datastore 292, it is not able to be modified.

In some examples, the data collection framework 296 may be configured to aggregate multiple events into a single event for storage in the analytics datastore 292. For example, if a known task (e.g., moving a file) results in generation of a predictable sequence of events, the data collection framework 296 may aggregate that sequence into a single event.

In some examples, the analytics VM 270 and/or the corresponding VFS 260 may include protections to prevent event data from being lost. In some examples, the VFS 260 may store event data until it is consumed by the analytics VM 270. For example, if the analytics VM 270 (e.g., or the message system) becomes unavailable, the VFS 260 may store the event data until the analytics VM 270 (e.g., or the message system) becomes available.

To support the persistent storage, and well as provision of the event data to the analytics VM 270, the FSVMs 262, 264, 266 of the VFS 260 may each include an audit framework that includes a dedicated event log (e.g., tied to a FSVM-specific volume group) that is capable of being scaled to store all event data and/or metadata for a particular FSVM until successfully sent to the analytics VM 270. In some examples, the audit framework for each FSVM 262, 264, 266 may be hosted another component (e.g., application, process, and/or service) of the VFS 260 or another component of the clustered virtualization environment or in communication with the clustered virtualization environment 200 (e.g., computing node, administrative system, virtualization manager, storage controller, CVMs, hypervisors, etc.) The audit framework may include an audit queue, an event logger, an event log, and a service connector. The audit queue may be configured to receive event data and/or metadata from the VFS 260 via network file server or server message block server communications, and to provide the event data and/or metadata to the event logger. The event logger may be configured to store the received event data and/or metadata from the audit queue, as well as retrieve requested event data and/or metadata from the event log in response to a request from the service connector. The service connector may be configured to communicate with other services (e.g., such as a message topic broker of the analytics VM 270) to respond to requests for provision of event data and/or metadata, as well as receive acknowledgments when event data and/or metadata are successfully received by the analytics VM 270. The events in the event log may be uniquely identified by a monotonically increasing sequence number, will be persisted to an event log and will be read from it when requested by the service connector.

The event logger may coordinate all of the event data and/or metadata writes and reads to and from the event log, which may facilitate the use of the event log for multiple services. The event logger may keep the in-memory state of the write index in the event log, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

Multiple services may be able to read from event log via their own service connectors (e.g., Kafka connectors). A service connector may have the responsibility of sending event data and metadata to the requesting service (e.g., such as the message topic broker of the analytics VM 270) reliably, keeping track of its state, and reacting to its failure and recovery. Each service connector may be tasked with persisting its respective read index, as well as being able to communicate the respective read index to the event logger when initiating an event read. The service connector may increment the in-memory read index only after receiving acknowledgement from its corresponding service and will periodically persist in-memory state. The persisted read index value may be read at start/restart and used to set the in-memory read index to a value from which to start reading from.

During service start/recovery, service connector may detect its presence and initiate an event read by communicating the read index to the event logger to read from the event log as part of the read call. The event logger may use the read index to find the next event to read and send to the requesting service (e.g., message topic broker of the analytics VM 270) via the service connector.

The analytics VM 270 and/or the VFS 260 may further include architecture to prevent event data from being processed out of chronological order. For example, the service connector and/or the requesting service may keep track of message sequence number it has seen before failure, and may ignore any messages which have sequence number less than and equal to the sequence it has seen before failure. An exception may be raised by the message topic broker of the requesting service if the event log does not have the event for the sequence number expected by the service connector or if the message topic broker indicates that it has received a message with a sequence number that is not consecutive. In order to use the same event log for other services, a superset of all the proto fields will be taken to create a common format for event record. The service connector will be responsible for filtering the required fields to get the ones it needs.

As previously discussed, the audit framework and event log may be tied to a particular FSVM in its own volume group. Thus, if a FSVM is migrated to another computing node, the event log may move with the FSVM and be maintained in the separate volume group from event logs of other FSVMs.

In some examples, the data collection framework 296 via the events processor 280 may be configured to process multiple channels of event data in parallel, while maintaining integrity of the event data such that older event data does not overwrite newer event data.

In some examples, the data ingestion engine 294 and the data collection framework 296 may perform the metadata collection process in parallel with receipt of event data via the messaging system. The events processor 280 may reconcile information captured via the metadata collection process with event data information to prevent older data from overwriting newer data.

The events processor 280 may process the metadata, the event data, and the configuration information to populate the analytics datastore 292. The analytics datastore 292 may include an entry or record for each item in the VFS 260, as well as a record for each audit event. In some examples, the event data may include a unique user identifier that ties back to a user, but is not used outside of the event data generation. In some examples, the analytics VM 270 ma retrieve a user ID-to-username relationship from an active directory by connecting to a lightweight directory access protocol (LDAP). In addition, than requesting a username or other identifier associated with the unique user identifier for every event, the events processor 280 may maintain a username-to-unique user identifier conversion table (e.g., stored in cache) for at least some of the unique user identifiers, and the username-to-unique user identifier conversion table may be used to retrieve a username, which may reduce traffic and improve performance of the VFS 260.

In this manner, the analytics datastore 292 may provide up-to-date information about the virtualized file server. The information may be current because it may reflect events, as they occur and are reported from the virtualized file server through the events pipeline. In this manner, file analytics systems described herein may provide real-time reporting—e.g., reports and/or view of the data of the file server which include changes which may have occurred within the last 1 second, 1 minute, 1 hour, and/or other time periods. It may not be necessary, for example, to conduct a full metadata scrape and/or process a bulk amount of data changes before accurate analytics may be reported. Instead, file analytics systems described herein may continuously update their data store based on events as reported by the virtualized file system.

The events processor 280, the visualization component 282, and the query layer 286 may generate reports for presentation via the user interfaces 272, including standard or default reports and/or customizable reports. The reports may be related to aggregate and/or specific user activity; aggregate file system activity; specific file, directory, share, etc., activity; etc.; or any combination of thereof.

In some examples, the user interface 272 may be implemented using one or more web applications. The user interface 272 may communicate with the AVM 270, e.g., with a gateway instance provided by the AVM 270. For example, the API layer 284 (e.g., API server present in a container running on AVM 270) may provide a gateway which may communicate with the user interface 272. The API layer may fetch information, e.g., from the analytics datastore 292, responsive to requests received from the user interface 272, and may return responsive data to the user interface 272. For example, the user interface 272 may be implemented using a web application which may include a variety of widgets—e.g., user interface elements. For example, a text box may allow a requestor to search for files by name, search for users by name, and/or conduct other searches.

In some examples, monitoring of analytics components is provided, e.g., using monitoring service 288 of FIG. 2A. Note that many containers may be provided in the analytics VM 270. Multiple services may be running in the containers. The monitoring service 288 may monitor the status and/or health of services running in the analytics VM 270. The monitoring service 288 may monitor containers and identify whether service is running or not. Beyond the status of the service and the containers, examples of monitoring service 288 may monitor details of the health of the various services running in the containers (e.g., whether the data ingestion engine 294, the analytics datastore 292, the events pipeline shown in FIG. 3, or other services provided by the AVM 270 are operating properly, including but not limited to one or more Kafka services and/or elasticsearch databases described herein). Typically, a specific ping call may need to be made to the service to determine if the service is running properly.

However, the monitoring service 288 may be plugged into each of multiple file analytics components (e.g., data ingestion engine 294, the analytics datastore 292, the data collection framework 296) and additionally monitor the performance of each component separately. For example, the monitoring service 288 may utilize APIs available on multiple components to obtain monitoring and/or health information (e.g., an API for a Kafka server and/or an elasticsearch or other database engine). The monitoring service 288 may provide an output (e.g., a JSON file in some examples) that reports the health of the whole system (e.g., health of containers, whether services are running, and additionally whether the services are operating as intended). Normally would need a ping call to the service to determine if the service was working properly, however the monitoring service 288 is able to monitor the containers, the fact that the services are operating, and also the internal health of the services.

Accordingly, the monitoring service 288 may monitor the entire stack from the infra layer to the application layer—e.g., all components as shown as included in the analytics VM 270. The monitoring service 288 may communicate with one or more other monitoring services (e.g., services used to monitor the VFS 260). In this manner, a single view may be obtained of the health of the VFS 260 and the analytics system.

In some examples, the monitoring service 288 accordingly may provide the storage utilization and/or memory and/or processing utilization (e.g., CPU utilization) for the analytics VM 270, including multiple (e.g., all) of its components. This utilization information may be provided to a monitoring service also monitoring the VFS 260 for utilization metrics such that platform resources may be allocated appropriately as between the analytics VM 270 and other components of the VFS 260.

In order to facilitate monitoring without unduly disrupting service operation, services running on the analytics system (e.g., analytics VM 270) may have an embedded remote procedure call (RPC) service. The embedded RPC service may, for example, provide a separate thread for the service that is monitoring the health of the main process thread. In some examples, the separate monitoring thread may collect particular health information—e.g., number of connections, number of requests being services, CPU utilization, and memory utilization. The monitoring service 288 may call the embedded RPC service in the processes to obtain monitoring information in some examples. This may minimize and/or reduce disruption to the operation of the services. Accordingly, the monitoring service 288 may make API calls to some services to obtain monitoring information, and may make calls to embedded RPC services for other components.

Examples of monitoring and/or health information which may be collected by the monitoring service 288 include, but are not limited to, a number of documents, number of events, and/or number of users in a file system (e.g., in VFS 260). The overall health of the file analytics system. In some examples health and monitoring information may be reported and/or displayed—e.g., using UI 272 of FIG. 2A. A positive indicator (e.g., green light or text) may be displayed when all the monitored services and containers are running. A medium indicator (e.g., yellow light or text) may be displayed when at least one service is down and/or a resource is beyond a threshold. A negative indicator (e.g., red light or text) may be displayed when at least one monitored container is down and/or more than one service is down. Monitoring indicators may be displayed for monitored containers—e.g., a database container (e.g., elasticsearch), a data ingestion container (e.g., Kafka container), and/or an API container (e.g., gateway container and/or data analytics framework). In some examples, resource utilization may be monitored by monitoring service 288 including host CPU and memory utilization of one or more of the computing nodes in VFS 260 for example. Memory utilization of one or more data ingestion processes (e.g., Kafka servers) may be monitored. Processor, memory, and/or buffer cache utilization of a database container (e.g., elasticsearch) may be monitored.

Some monitored parameters may be based on a latest run on the monitoring service 288 (e.g., latest API and/or RPC call). Those may include number of documents, number of events, number of users, overall health of file analytics, health for individual containers, and/or service health. Other monitored parameters may be based on data accumulated from multiple runs (e.g., host CPU and memory utilization, disk usage, volume group usage, database CPU, memory and buffer cache utilization, data ingestion engine memory utilization). In some examples, the monitoring service 288 may query containers and/or services periodically, e.g., every 10 seconds in some examples. Monitoring data may be stored in one or more databases, such as in analytics datastore 292 of FIG. 2A and/or analytics datastore 320 of FIG. 3.

The monitoring service 288 may include multiple monitors (e.g., monitoring processes) in some examples. For example, a host resource monitor, a container resource monitor, and a container and/or service status monitor may be included in monitoring service 288 in some examples. The host resource monitor may be used to obtain current resource utilization (e.g., CPU, memory, disk, volume group) of a host file system—e.g., VFS 260, which may include the analytics VM 270 itself in some examples. The container resource monitor may obtain current resource utilization (e.g., CPU, memory, and/or buffer cache utilization) of containers, such as a data ingestion engine container (e.g., data ingestion engine 294, which may be or include a Kafka server), and/or a database container (e.g., elasticsearch container), such as analytics datastore 292. The container and/or service status monitor may obtain the current status of the monitored containers (e.g., running and/or not running) and the status of services running inside the containers. In some examples, the consolidated health data obtained by the monitoring service 288 may be stored in a single document format (e.g., elasticsearch document, JSON).

In some examples, the monitoring service 288 may generate an alert when a comparison of resource usage for a component with a threshold is unfavorable (e.g., when disk usage is over 75 percent, when CPU usage is over 90 percent, when available memory is under 10 percent, although other threshold values may also be used). In some examples, however, resource usage may compare unfavorably with a threshold for a period of time, and it may not be desirable to raise an alert.

Accordingly, in some examples an alert may not be provided by the monitoring service until after an elapsed period of time (e.g., 15 minutes), and a re-check of the resource usage which still results in an unfavorable comparison to threshold. In some examples, the monitoring service may maintain a log (e.g., a dictionary) of the resource name and resource usage value for the past several runs of the monitoring service (e.g., five runs). Only when the values for all several runs (e.g., all five runs) or some percentage of the runs compare unfavorably with a threshold will an alert be raised. The log (e.g., dictionary) may be stored, for example, in the datastore 320 of FIG. 3.

FIG. 2B is an example procedure which may be implemented by monitoring service 288 to raise alerts. The monitoring service 288 may collect health data on or more containers and/or services in block 210. The health data may indicate whether or not the service is not healthy (e.g., running or operational). The monitoring service 288 may analyze the health data in block 212 to ascertain whether the service is healthy. If the service is not healthy (e.g., the health data indicates the service is not running or operational), the lack of health may be logged by the analytics VM (e.g., the monitoring service 288) in block 214, and an alert raised in block 216 (e.g., the analytics VM, such as using monitoring service 288, may display an alert, or may email, text, or otherwise report an alert).

If the service is healthy, the monitoring service 288 may collect resource consumption data for the service (e.g., CPU usage, memory usage, disk usage, volume group usage, etc.) in block 218. Resource threshold parameters may also be accessed in block 220 (e.g., the monitoring process may access threshold parameters from a configuration and/or profile file accessible to the monitoring service). The resource threshold parameters may include, for example, a lower threshold, an upper threshold, and/or a duration limit. If the service's resource usage is greater than the lower threshold (e.g., checked by the monitoring process in block 222), the status may be logged in block 224. If the service's resource usage are less than the upper threshold (e.g., checked by the monitoring process in block 226, the status may be logged in block 224. While the checks against the lower threshold and upper threshold are shown as consecutive blocks 222 and 226 in FIG. 2B, it is to be understood that the checks could happen in either order. In some examples, the block 222 and block 226 may happen wholly and/or partially simultaneously. If the service's resources are less than the lower threshold and/or greater than the upper threshold, however, the monitoring service may evaluate, e.g., in block 228, whether the consumption has been over a threshold for less than the duration limit. If the consumption has been unfavorable relative to a threshold for less than a duration limit, the situation may be logged in block 224. However, if the consumption has been unfavorable relative to a threshold for more than a duration limit, an alert may be raised (e.g., an alert may be displayed, emailed, texted, or otherwise reported) in block 230.

FIG. 3 illustrates a flow diagram 300 associated with ingestion of information from a virtualized file server (VFS) file system 360 by a analytics VM 370 according to particular embodiments. The analytics VM 370 may to retrieve, organize, aggregate, and/or analyze information corresponding to the VFS file system 360 in an analytics datastore 320. The VFS 160 and/or the analytics VM 170 of FIG. 1A and/or the VFS 260 and/or the analytics VM 270 of FIG. 2 may implement the VFS file system 360 and/or the analytics VM 370, respectively. The architecture of FIG. 3 can be implemented using a distributed platform that contains a cluster of multiple host machines that manage a storage pool, which may include multiple tiers of storage. In some examples, the analytics VM 370 may be hosted by one or more of the cluster of multiple host machines. In some examples, the analytics VM 370 may be provided by a computing system in communication with the cluster of multiple host machines. In some examples, the analytics VM 370 may be provided as a hosted cloud solution, e.g., provided on a cloud computing platform and configured for communication with a the VFS 360.

As shown in the flow diagram 300, the FSVM1-N of the VFS 360 may each include an audit framework 362 to provide a pipeline for audit events that flow from each of the FSVM1-N through the message system (e.g., a respective producer channel(s) 310, a respective producer message handler(s) 312, and a message broker 314) to an events processor 316 (e.g., a consumer message handler) and a consumer channel 318 of the analytics VM 370.

The audit framework 362 of each of the FSVM1-N may be configured to support the persistent storage of audit events within the VFS 360, and well as provision of the event data to the analytics VM 370. In some examples, while the audit framework 362 is shown as being part of the FSVM1-N, the audit framework 362 may be hosted another component (e.g., application, process, and/or service) of the VFS 160 or another component of the distributed computing system or in communication with the distributed computing system 100 (e.g., computing node administrative system, virtualization manager, the CVMs 124, 132, 128, the hypervisors 130, 132, 134, etc.) The audit framework 362 may each include a dedicated event log (e.g., tied to a FSVM-specific volume group) that is capable of being scaled to store all event data and/or metadata for a particular FSVM until successfully sent to the analytics VM 370. The audit framework may include an audit queue, an event logger, an event log, and a service connector. The audit queue may be configured to receive event data and/or metadata from the VFS 360 via network file server or server message block server communications, and to provide the event data and/or metadata to the event logger. The event logger may be configured to store the received event data and/or metadata from the audit queue, as well as retrieve requested event data and/or metadata from the event log in response to a request from the service connector. The service connector may be configured to communicate with other services (e.g., such as a message topic broker 314) to respond to requests for provision of event data and/or metadata, as well as receive acknowledgments when event data and/or metadata are successfully received by the analytics VM 370. The events in the event log may be uniquely identified by a monotonically increasing sequence number, will be persisted to an event log and will be read from it when requested by the service connector.

The event logger may coordinate all of the event data and/or metadata writes and reads to and from the event log, which may facilitate the use of the event log for multiple services. The event logger may keep the in-memory state of the write index in the event log, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

Multiple services may be able to read from event log via their own service connectors (e.g., Kafka connectors). A service connector may have the responsibility of sending event data and metadata to the requesting service (e.g., such as the message topic broker 314) reliably, keeping track of its state, and reacting to its failure and recovery. Each service connector may be tasked with persisting its respective read index, as well as being able to communicate the respective read index to the event logger when initiating an event read. The service connector may increment the in-memory read index only after receiving acknowledgement from its corresponding service and will periodically persist in-memory state. The persisted read index value may be read at start/restart and used to set the in-memory read index to a value from which to start reading from.

During service start/recovery, service connector may detect its presence and initiate an event read by communicating the read index to the event logger to read from the event log as part of the read call. The event logger may use the read index to find the next event to read and send to the requesting service (e.g., message topic broker 314) via the service connector.

As previously discussed, the audit framework 362 and event log may be tied to a particular FSVM in its own volume group. Thus, if a FSVM is migrated to another computing node, the event log may move with the FSVM and be maintained in the separate volume group from event logs of other FSVMs.

The message broker 314 may, for example, be implemented using a broker which may be hosted on a software bus, e.g., a Kafka server. The message broker may store and/or process messages according to topics. Each topic may be associated with a number of partitions, with a higher number of partitions corresponding to a faster possible rate of data processing. In some examples, a topic may be associated with each file server FSVM1-N of an associated VFS 360. In some examples, a topic may be associated with individual or groups of FSVMs. The topic may be used by the FSVM1-N as a destination to which to send events. In some examples, a topic may indicate a priority level. Examples of topics include high, medium, low, and bursty/high. For example, a high topic may have a larger number of partitions of the message broker dedicated to the high topic than are dedicated to a medium or low topic. In some examples, a bursty topic may be used to accommodate a spike in user activity at the file server—event data during this spike may be put in a bursty topic with a large number of associated partitions. The Kafka server may be implemented in a docker container with any number of partitions. The Kafka server may be included in analytics VMs described herein. Consumers (e.g., one or more nodes of an analytics datastore) may consume messages from the message broker by topic in some examples.

To provide audit event data, the audit framework 362 associated with each FSVM1-N of the file system 360 may publish audit events (e.g., event data) to a respective producer channel 310, which are received and managed by a respective producer message handler 312. The respective producer message handlers 312 may forward the audit events to the message broker 314. The message broker 314 may route the audit events to consumers, including the events processor 316 of the analytics VM 370, which are routed to and stored at the analytics datastore 320 via a consumer channel 318.

The analytics VM 370 and/or the VFS 360 may further include architecture to prevent event data from being processed out of chronological order. For example, the service connector of the audit framework 362 and/or the message topic broker 314 may keep track of message sequence number it has seen before failure, and may ignore any messages which have sequence number less than and equal to the sequence it has seen before failure. An exception may be raised by the message topic broker 314 if the event log does not have the event for the sequence number expected by the service connector or if the message topic broker 314 indicates that it has received a message with a sequence number that is not consecutive. In order to use the same event log for other services, a superset of all the proto fields will be taken to create a common format for event record. The service connector will be responsible for filtering the required fields to get the ones it needs.

Also, as described, message broker 314 may store and/or process messages according to topics, which may each be divided into a number of partitions, with a higher number of partitions corresponding to a faster possible rate of data processing. To ensure data for a particular file (e.g., or share, directory, etc.) is processed in chronological order, event data records for a particular file may be routed to the same partition.

The analytics datastore 320 may be implemented using an analytics engine store, such as an elasticsearch database. The database may in some examples be a distributed database. The distributed database may be hosted on a cluster of computing nodes in some examples. In some examples, the analytics datastore 320 may be segregated by age and may be searched in accordance with data age. For example, once an event or metadata data crosses an age threshold, it may be moved to an archive storage area. Data in the archive storage area may be accessed and included in search and other reporting only when specifically requested in some examples. In some examples, when archived event and/or metadata crosses a certain age threshold, it may be deleted.

In an example of a data archive configuration, a first category of data may be a ‘hot’ category and may be associated with that category if it is less than a first threshold of age (e.g., within 1 month). A second category of data may be ‘warm’ data which may be between a range of age (e.g., between 1-6 months old). A third category of data may be ‘cold’ data which may be between a range of age (e.g., between 6-12 months old). A fourth category of data may be ‘frozen’ data which may be archived and may be over a threshold old (e.g., older than 12 months). Archived data may be generally stored in any archive repository, including, but not limited to, any NAS (e.g., NFS/SMB), Amazon Web Services S3, Hadoop distributed file system, Azure, etc. A fifth category of data may be deleted, such as when it has been archived for over a threshold time (e.g., archived for more than 12 months). Archives may be deleted in some examples using snapshot and restore APIs. In some examples, certain categories of data may be included in searches and queries performed by the analytics VM by default, and some only with user request. For example, the hot and warm categories may be included in searches and/or reporting by default, while the cold, frozen, and/or archived categories may be included only by user request.

In some examples, event data may be collected as syslog events. The events may be provided to the analytics datastore 320 (e.g., by events processor 316) using filebeat and an ingest pipeline.

In some examples, the events processor 316 may be implemented, at least in part, using a Kafka connector. In some examples, the analytics datastore 320 may be implemented using an elasticsearch cluster. The events processor 316 may perform a variety of functions on event data received from the broker. In some examples where the message broker may be implemented with a Kafka server, a Kafka connector may be used to pull events from the Kafka server and ingest them into the analytics datastore (e.g. elasticsearch cluster). For example, the events (e.g., a Kafka message indicative of an event) may be provided in a protocol buffer standard, which may be used to generate a protocol buffer event object provided by the broker (e.g., Kafka server). The events processor 316 may de-serialize received objects (e.g., data, protocol buffer event objects). The events processor 316 may map message fields of the data to those of the analytics datastore 320 (e.g., to elasticsearch fields). The events processor 316 may parse and extract information from the event data. The events processor 316 may ingest the data into indices of the analytics datastore 320 (e.g., to elasticsearch indices). In some examples, data may be indexed into a particular folder based on an event type. Event types may include folder or directory or other classification of portion of the file server pertaining to the event. The events processor 316 may perform data exception handling.

In some examples, the analytics datastore 320 may be scaled in accordance with an amount of data being processed by message brokers (e.g., Kafka servers). Multiple consumers (e.g., analytics datastore nodes, such as elasticsearch nodes) may process data from particular topics. Generally, the multiple consumers processing data from topics may form a group designated by a unique name in the datastore (e.g., cluster). Messages published to the message broker may be distributed across database instances (e.g., analytics datastore nodes) in the group, but each message may be handled by a single consumer in the group in some examples.

In some examples, the analytics VM may monitor throughput of one or more message topics. Based on the read throughput for the topic, the analytics VM may cause horizontal scaling of the analytics data store. For example, when read throughput falls below a particular level, the analytics VM may spin up another node of the analytics datastore. The new node may be subscribed to the topic having the below-threshold read throughput. When read throughput falls above a particular level for a particular topic, in some examples, the analytics VM may spin down (e.g., remove) a node of the analytics data store subscribed to that topic.

In this manner, when a new instance of the analytics datastore joins a group subscribed to a topic, a rebalancing may occur in the message broker (e.g. Kafka server). The message broker may reassign partitions (e.g., topics) to consumers based on metadata regarding the analytics datastore. Advantageously, the use of multi-node analytics datastores may add fault tolerance. For example, if a node of the analytics datastore goes down, the message broker may engage in rebalancing to distribute assignments among remaining analytics datastore instances.

Accordingly, referring to FIG. 3, the messaging system, including the producer message handler 312, the message topic broker 314, and the events processor 316 may process multiple audit event threads in parallel, which may aid in keeping the integrity of those audit events (e.g., keeping the events in order) such that a new event may not be overwritten by an older event in the analytics datastore 320, even if the older event is received out of order.

In addition, the analytics VM 370 may retrieve metadata and configuration information from the file system 360 via a metadata collection process 330 and a configuration information collection process 340, respectively. In some examples, the configuration information collection process 340 includes an API architecture. In some examples, the event data and the metadata may include a unique user identifier that ties back to a user, but is not used outside of the event data generation. In some examples, a portion of the configuration information collection process 340 may include the retrieval of a user ID-to-username relationship from an active directory by connecting to a lightweight directory access protocol (LDAP). In addition, rather than requesting a username or other identifier associated with the unique user identifier for every event, the analytics VM 170 may maintain a username-to-unique user identifier conversion table (e.g., stored in cache) for at least some of the unique user identifiers, and the username-to-unique user identifier conversion table may be used to retrieve a username, which may reduce traffic and improve performance of the VFS 160. Any to provide user context for active directory enabled SMB shares may help an administrator understand which user performed which operation as well as ownership of the file. In some examples, the configuration information collection process 340 may include a synchronization operation to retrieve share status from the VFS 360. Thus, if a share is deleted, that information may be updated in the analytics datastore 320.

The metadata collection process may include gathering the overall size, structure, and storage locations of parts of the file system managed by the VFS 360, as well as details for each data item (e.g., file, folder, directory, share, owner information, permission information, etc.) in the VFS 360. In some examples, the metadata collection process 330 may utilize SMB and/or NFS commands to obtain metadata information. Metadata which may be collected may include, but is not limited to, file owner, group owner, ACLs, total space on share, free space on share, list of available shares, create time, last access time, last change time, file size, list of files and directory at root of share.

In some examples, the metadata collection process 330 may initially gather metadata for a set of (e.g., all) files hosted by an associated file server. In some examples, the metadata collection process 330 may scan snapshots of the file server. In some examples, the metadata collection process 330 may initially, or subsequent to an initial scan, use one or more snapshots of the VFS 360 to receive initial and/or updated metadata, such as a snapshot provided by a disaster recovery application of the VFS 360. For example, the analytics VM 370 may mount a snapshot of the VFS 360 to retrieve metadata from the VFS 360. Each snapshot may represent a state of the file system managed by the VFS 360 at a point in time. The analytics VM 370 may use the information gathered from the one or more snapshots to develop a comprehensive picture of the file system managed by the VFS 360 at a point in time, as well as to derive events by comparing successive snapshots.

In some examples, the metadata collection processes performed by the analytics VM 370 may include a multi-threaded breadth-first search (BFS) that involves performing parallel threaded file system scanning. The parallel threaded file system scanning may include parallel scanning of different shares, parallel scanning of different folders of a common share, or any combination thereof. In some examples, the metadata collection process may implement a parallel BFS with level order traversal of a directory tree to collect metadata. Level order traversal may include processing a directory tree one level at a time. For example, starting with a top-level directory, a first level of a directory tree is processed before moving onto a next level a next level of the directory tree. The level order traversal includes a current queue, which includes each item in the level of the directory tree currently being processed, and a next queue, which includes children of the level of the directory tree currently being processed. When processing of the current queue is completed, the current queue may be loaded with the next queue entries. By performing level order traversal, a size of the two queues may be more manageable, as compared with a system where every item from a directory tree being loaded into a single queue. The parallel BFS may include starting a thread on each level, and letting processing of all the data items on that level get complete in the current queue before making a move to the next or child queue.

In some examples, during the metadata scan, the VFS 360, the analytics VM 370, or another service, process, or application hosted or running on or in communication with the system of FIG. 3A may add a checkpoint or marker after every completed metadata transaction to indicate where it left off. In some examples, when processing of the current queue is complete, the current queue may be stored as the checkpoint before loading the next queue into the current queue. The checkpoint may allow the analytics VM 370 to return to the checkpoint to resume the scan should the scan be interrupted for some reason. Without the checkpoint, the metadata scan may start anew, creating duplicate metadata records in the events log that need to be resolved.

In some examples, the analytics VM 370 may make an initial snapshot scan of the VFS 360 to obtain initial metadata concerning the file system (e.g., number of files, directories, file names, file sizes, file owner ID and/or name, file permissions (e.g., access control lists, etc.)) using the FSVM1-3 snapshots. The analytics VM 370 may provide an API call (e.g., SMB ACL call) to the VFS 360 to retrieve owner usernames and/or ACL permission information based on the owner identifier and the ACL identifier.

For disaster recovery, the FSVMsI-N or another component (e.g., application, process, and/or service) of the VFS 360 or another component of the clustered virtualization environment or in communication with the clustered virtualization environment 200 (e.g., computing node, administrative system, virtualization manager, storage controller, CVMs, hypervisors, etc.) may periodically generate new, updated snapshots of the file system to aid in disaster recovery over time. In some examples, in addition to use of individual ones of the snapshots to determine a state of the file system at a point in time, the analytics VM 370 may compare different versions of the snapshots to detect metadata differences, and then may use those detected metadata differences to derive event data. For example, if the metadata of a first snapshot indicates that a particular share has a first size and the metadata of a second snapshot indicates that the particular share has a second size, the analytics VM 370 may generate an event that the size of the particular file was changed from the first size to the second size. Other types of events may be derived by the analytics VM 270 if a metadata comparison between two snapshots reveals that a file/folder/share/directory/etc. is added, removed, moved, or some other change has taken place.

In some examples, the shares of the file system managed by the VFS 360 may be sharded (e.g., distributed across multiple FSVMs 362), which may impact capturing of a complete set of metadata for the file system. Thus, as part of the metadata collection process, a distributed file protocol, e.g., DFS, may be used to obtain a collection of FSVM IDs (e.g., IP addresses) to be mounted to access a full share. However, in some examples, the analytics tool may be implemented using a Linux client or other client that may not support DFS referrals or other distributed file protocol to obtain identification of which FSVMs host which files (e.g., which shares). Typically, files may be sharded across multiple FSVMs based on their top-level directory (e.g., an initial folder such as \\enterprise\hr in the file system may include files and/or lower level folders stored across multiple FSVMs).

Accordingly, if a FSVM1 snapshot for a portion of a share hosted by one of the FSVMs 362 is mounted, the analytics VM 370 may identify all folders (e.g., top-level directories), but not all data for the share may be available via the snapshot. Rather, some of the data may be hosted on other FSVMs 362 of the VFS 360, and stored in snapshots generated by those FSVMs. In some examples, the analytics VM 370 may map top-level directories to the FSVMs 362 using the snapshots, and then may use that information to traverse those directories. So, for example, the analytics VM 370 may identify that a pair of FSVMs 362 may host a particular top-level directory when scanning the respective snapshots. In order to scan all of the metadata for that top-level directory, snapshots generated by other FSVMs 362 may be accessed and scanned to retrieve the rest of the data. In this manner, all data in the top-level directory (e.g., across a distributed SMB share) may be scanned by the analytics VM 370, even without use of a DFS Referral. The metadata retrieved during the metadata collection process may be used to present information about the VFS 360 to a user via a user interface or via a report. The metadata may also be used to analyze event data, and to present recommendations to an administrator. For example, the analytics VM 370 may compare access history for a share with an ACL assigned to the share to recommend a change in the ACL based on the access history.

After an initial metadata collection, in some examples, the metadata collection process 330 may gather metadata for only selected files associated with an audit event received. In some examples, the metadata collection process 330 may utilize active directory (AD) credentials to interact with the associated file server and obtain metadata. The credentials may be provided to the analytics VM 370 in some examples by an administrator.

In some examples, analytics VM 370 may receive a notification when a file server 360 (e.g., one or more of FSVM1-N) subscribe to analytics services. Responsive to the notification, the analytics VM 370 may initiate the metadata collection process 330 to gather initial metadata. The notification may be implemented using, for example, an API call. In some examples, the API call may write an identification of the file server 360 subscribing to the analytics services and the analytics VM 370 may monitor the file for changes to receive notification of a new file server and/or file server VM subscribing to analytics. In some examples, a thread or process may periodically scan the analytics datastore 320 including a store of the file server name(s). If a new file server name is found, the analytics VM 370 may initiate the metadata collection process 330 to gather initial metadata.

To gather initial metadata, the analytics VM 370 may obtain an identification of shares present on the file server 360, and store the identification of the shares in the analytics datastore. For each share, the analytics VM 370 may obtain an identification of all files and directories present on the share. For each file and directory, the analytics VM 370 may gather metadata for the file and/or directory and store the metadata in the analytics datastore 320. In some examples, the analytics VM 370 may track the progress of the initial metadata collection. A scan status may be stored in the analytics datastore and associated with each share. When the initial metadata collection begins, a scan status may be set to an initial value (e.g., “started” or “running”) in the analytics datastore 320. When the collected metadata is stored in the analytics datastore 320, the scan status may be set to a completed value (e.g., “complete”). If a failure occurs during the metadata collection process 330, the scan status may be set to a failure value (e.g., “failed”).

In some examples, the analytics VM 370 may access the scan status—periodically in some examples (e.g., every hour). If a failed scan status is encountered, the analytics VM 370 in some examples may restart a metadata collections process for that share.

In some examples, the metadata collection process 330 is initiated to gather metadata at a point in time, and changes that occur thereafter may be tracked via the event pipeline. For example, when a new share is added to the virtualized file server 360 after the metadata collection process 330 has started, the analytics VM 370 may not perform an initial metadata gathering process responsive to addition of the new share. Instead, the existence of the new share and events relating to the new share may be captured using the events pipeline, and metadata associated with the events may be obtained from the event data. Similarly, new files may be tracked based on events coming through the events pipeline and need not initiate a full metadata collections process just based on the addition of a new file or folder.

In some examples, communications for the metadata collection process 330 and/or the configuration information collection process 340 may flow through the audit framework 362 using the message topic broker 314 without departing from the scope of the disclosure. In some examples, the metadata collection process 330 and/or the configuration information collection process 340 may include use of API calls for communication with the VFS 360.

Metadata and/or events data stored in the analytics data store may be indexed. For example, an index may include events data collected over a particular period of time (e.g., last day, last month, last 2 months, last 3 months). In this manner, queries executed by an AVM (e.g., by query layer 286 of FIG. 2A) may query a particular index or indices, avoiding a need to query the entire data store. Metadata and/or events data may accordingly be stored in the analytics data store by storing the data together with an index indicator.

In some examples, certain indices may be maintained to assist with intended reporting of analytics from the AVM. For example, one index may be for anomalies, and may store anomalies detected from audit trails (e.g., from event data). The anomaly index may be queried (e.g., by the AVM) to present information about the occurrence of anomalies. Information stored in the anomaly index may include an array of anomalies for each user, an array of anomalies for each file and/or folder, an ID of the anomaly, a user ID of a user causing an anomaly, operation name(s) included in the anomaly, and a count of operations occurring in the anomaly.

One index may be for capacity and may store capacity metrics for a file server. The AVM may periodically calculate statistics regarding the number of files, counts per file type, capacity change per type, etc. and store the information in this index. Examples of capacity data may include capacity by file type or category, removed capacity by file type or category, added capacity by file type or category, total capacity added, number of files added, capacity removed, capacity change, number of modified files, capacity change by file type or category, number of deleted files, net capacity change. Other metrics may also be used.

Indices may be provided for audit logs (e.g., event data). The event data may be indexed per-time period (e.g., per month). Information that may be stored in the audit log index may include a name of a file or folder for which the event occurred, name or ID of a user generating the event, operation performed by the user, status of the event, old name of the file or folder (e.g., for rename events), object ID for the event, path of the file or folder affected by the event, IP of the machine from which the event was triggered, old parent ID of the file or folder (e.g., for move events), time stamp of the event. Other data may also be stored.

An index may be provided for users, and may store unique IDs of users for the file server. Other information stored in a user index may include user email, last event timestamp for a last action taken by the user, user name, object ID of a file and/or folder on which the user last performed an event, IP address of machine from which the user last operated, last operation performed by the user. Other user information may also be stored in other examples.

An index may be provided for files, and may store unique IDS of files in the file server. Examples of data that may be stored in a file index include last access timestamp, name of file creator, size of file, indicator if file is active, timestamp of last event performed on the file, ID (e.g., UUID) of the file server share to which the file and/or folder belongs, user ID of user performing the last event on the file, ID of the parent file and/or folder (e.g., hierarchical parent in a directory structure), ID of a user performing a last event on the file, time of file creation, file type, filename. The various indices may be queried to provide information as needed for various queries.

A set of categories may be defined and utilized for reporting and/or displaying data. Each category may be associated with multiple file type extensions. For example, an image category may include .jpg, .gif. A Microsoft Office category may include .doc, .xls. A video category may include .mpg, .avi, .mov, .mp4, etc. Other categories include, for example, Adobe (e.g., .pdf), log, archive, installers, etc. Associations between category names and file extensions may be stored in memory accessible to the AVM. The associations may be configurable, e.g., an admin or other user may revise and/or update the associations between file types and categories, e.g., using user interface 272.

Accordingly, examples of files analytics systems described herein may collect event data relating to operation of a file system. In some examples, a particular sequence of events may have a particular meaning as understood by a user and/or an administrator. It may be desirable to be able to query and represent the intended event instead of and/or in addition to the actual sequence of events. For example, in some applications (e.g., MICROSOFT WORD), multiple actions on a file system may be taken in order to achieve an intended action (e.g., editing a file). In some examples, applications may use temporary files as part of the processing of editing a given file. The temporary files may be used to store changes to the file. The temporary files may then be retained as the original file (with the original file being deleted), and/or the temporary files may be deleted and content in the file moved to the original file.

In the example of Microsoft Word, when a user intends to edit a file, a new file will be created by MICROSOFT WORD (e.g., having a same name and with a temporary extension). So, for example, consider an example file ‘abc.doc’ stored in the virtualized file server 260 of FIG. 2A. Responsive to a user editing the file, MICROSOFT WORD creates a new file with a temporary extension (e.g., ‘abc.tmp’ and/or ‘x.tmp’). Write operations may occur with respect to the temporary file. When the editing is complete (e.g., when a user saves the file and/or closes the application), the WORD may delete the original ‘abc.doc’ and rename ‘x.tmp’ to ‘abc.doc’. For example, the temporary file may be retained with the name of the original file (e.g., ‘abc.doc’) and the original ‘abc.doc’ file may be deleted. The event data received by the AVM 270 in this scenario may include the creation of a new file (‘abc.tmp’), writes to the temporary file ‘abc.tmp’, the deletion of the temporary file (the original ‘abc.doc’), and the creation of a new file (the new ‘abc.doc’). Such a recording of events may compromise the use of the analytics available through the analytics system because future events may not be recognized as occurring to the same file as the original ‘abc.doc’—the files analytics system may consider there to be two separate files and may not be able to represent a continuous flow of events associated with a single ‘abc.doc’ file, which was the intended operation of the user. An example sequence of events for a single write cycle may be as follows:

Event # Event Type File Inode File Name New File Name 1 Create 100 abc.docx — 2 Rename 100 abc.docx x.tmp 3 Create 200 y.tmp — 4 Write 200 y.tmp — 5 Delete 100 x.tmp — 6 Rename 200 y.tmp abc.docx

The events are shown consecutively numbered in the above table for ease of discussion. The event type is shown. The file ID (e.g., file iNode) is shown, together with the file name. The file ID (e.g., file iNode) may be a unique ID for the file in the file system.

As shown in the above sequence of events, the original file abc.docx starts as a file with inode 100 but ends up as a file with inode 200 after the write is done. This way the inode may keep changing on each write. If any analytics is fetched for the file then the analytics system may need to consider all the inodes for the file in order to get the full & correct audit trail for the file. A reliable mechanism to link all these inodes to the same lineage may be needed to obtain accurate analytics.

Referring to FIG. 3, a lineage index may be maintained in the analytics datastore 320. The lineage index may follow a parent-child schema (e.g., the index may include a series of records which relate a parent file to one or more temporary files). Each record (e.g., document) in the index may represent a lineage root or a child associated with a lineage root. In this manner, the lineage may not be a multi-level hierarchy. Rather, a single record may exist for a parent-child (e.g., file-temp file) association. Each document in the index may include an object ID (e.g., unique file ID, such as iNode number), type of document (e.g., parent or child), and lineage root ID (e.g., unique file ID, such as iNode number, for the parent in the case of a child record, or child in the case of a parent record).

In some examples, the events processor 316 may populate the lineage index. For example, the events processor 316 may execute a lineage management process which may identify temp file events and establish a lineage between files. For example, the lineage management process may search incoming events and/or events stored in the analytics datastore 320 for files meeting lineage management criteria. Lineage management criteria may refer to the presence of a sequence of events indicative that a file was renamed, moved, and/or altered to a temporary file. For example, the lineage management process may search event data for rename events where a particular file extension indicative of a temporary file (e.g., .tmp) was renamed to another file extension (e.g., .doc). Generally, the lineage management process may identify a known and/or configurable event and/or set of events indicative of a lineage relationship (e.g., relationship where one file is intended to be treated the same as another file for events purposes). For example, the temporary files may be identified by extension (e.g., ‘.tmp’ in the table above) and renames of files having temporary extensions may be used as a lineage management criteria. So, for example, the lineage management process may identify that file inode 200 may be a candidate for lineage management because of event 6 where the .tmp file is renamed to .docx. Other criteria may also be used. The lineage management process may identify a corresponding event to establish a lineage. For example, the lineage management process, having identified the file inode 200 as a candidate based on the rename of the .tmp file to .docx in event 6, may identify a corresponding event as event 2 where the file ID (e.g., inode 100) was renamed from abc.docx to a temporary file x.tmp. While x.tmp here is used as an example, generally the temp file may be named with˜followed by the original filename.tmp, so it may be ˜abc.tmp in some examples. In this manner, the lineage management process may identify the inode 100 as associated with the inode 200.

The lineage management process may further search incoming events and/or events stored in the datastore 320 which may have been performed on the related lineage file. The lineage management process may verify whether the unique file ID (e.g., inode) on which the event occurred is already part of a lineage or is a lineage root itself, such as by searching the existing lineage index. The lineage management process may then establish the lineage accordingly as a root and/or child.

In other examples, the events processor 316 may ensure that file and event records associated with a particular lineage are updated to reflect that lineage. For example, each record in the lineage index may include an object ID and an object lineage root reference, which object lineage root reference indicates the lineage for a file. For example, the events processor 316 may identify each file ID that is involved in a potential temp file event and mark the file for further processing (e.g., both file IDs 100 and 200 may be identified in the example of the above table due to their rename events). The events processor 316 may execute a separate process that identifies lineage for the marked files (e.g., by examining the sequence of events in the above table and/or a lineage index). The corresponding event records for the marked files may be updated to include the object lineage root reference.

While examples have been described where the events processor 316 determines lineage of various files in temp-related events, in some examples, lineage may be determined by the file server (e.g., file server 260 of FIG. 2A). For example, an API gateway on one or more of the FSVMs of the file server 260 may include one or more software processes to calculate the lineage (e.g., association between one or more files), and provide the lineage together with the events data to allow the events processor 316 to store the lineage data in the datastore.

In this manner, the lineage of related files may be maintained in a lineage index and/or object lineage root reference in the datastore 320. This lineage index and/or object lineage root reference may be utilized when responding to queries (e.g., queries by API layer 284 of FIG. 2A) to allow for the intended behavior to be represented.

An example query issued by the API layer 284 of FIG. 2A to the datastore 320 may be to provide an audit trail for a given file (e.g., all events associated with a particular file ID). In examples described herein, the API layer 284 may check the lineage index of the datastore 320 to locate all related lineage IDs for the file ID. The audit index of the datastore 320 may accordingly be searched for all events belonging to the file ID and any related lineage IDs. Accordingly, a complete set of events may be gathered.

In some examples, the API layer 284 may filter the complete set of events to remove events associated with the temporary file process or otherwise unrelated to the intended file manipulation. For example, create events may be discarded for all file IDs except the lineage root ID. Additionally or instead, delete events may be discarded for all file IDs except the most recent (e.g., the current file ID of the related file IDs). Additionally or instead, rename events to and/or from temporary file extensions may be discarded for all file IDs. The resulting set of events may be used to report (e.g., display or communicate) the list events associated with the requested file ID. For example, referring to the table above, if a query were received for the inode 200, the API layer 284 may access the lineage index and determine that the inode 100 was a related file ID. All 6 events in the above table may accordingly be retrieved from the datastore 320. The create event #3 may be discarded, and only the create event #1 (of the lineage root inode 100) may be retained. The delete event #5 may be discarded as it is not a delete event relating to the current inode ID 200. The rename events #2 and #6 may be discarded as they related to a rename to and/or from a .tmp extension. In this manner, the list of reported events responsive to the query would be Event #1 (Create), Event #4 (Write). This corresponds to the intended operation of a MICROSOFT WORD user creating the sequence of events—the document was created and written to.

In some examples, the API layer 284 may provide a query to provide aggregate data for a particular entity record. For example, access patterns for a particular file may be requested. The API layer 284 may have the file ID of the requested file, and may search the lineage index for the file ID to obtain all related lineage IDs. The audit index may be searched to aggregate event data for the object ID and all lineage IDs. As described above with respect to the discarded events, events relating to the temporary file manipulation may be discarded.

In some examples, the API layer 284 may provide a query to aggregate data for a list of entity records—e.g., to object top 5 accessed files. The API layer 284 may search the events index for an aggregated count of events per file ID. Rather than only retrieving the requested number of top results, a larger number of results may be retrieved (e.g., 10,000). The results may be compared against the lineage index and results for file IDs related in the lineage index may be combined. For example, the events list may be refined as described above and the revised events list may be used to generate an aggregated count of events per file ID. The top accessed files may be identified from the revised list.

Accordingly, examples described herein may provide a lineage for a given file which relates the file to other files which previously existed but were renamed to, moved to, and/or replaced the given file. This may allow for more complete analytics reporting with respect to the file. In this manner, events data may be stored and/or modified in a manner that reflects user intention. While examples have been described with respect to MICROSOFT WORD, in other examples, event sequences occurring with other applications may be analogously modified (e.g., other MICROSOFT OFFICE applications, vi editor, etc.). For example, any application that utilizes an event pattern for temporary files may be tracked using lineage techniques described herein.

File analytics systems described herein may be utilized to collect, analyze, calculate, report, and/or display various metrics relating to one or more file servers. By utilizing metadata, event data, and/or configuration information which may be collected as described herein various metrics may be obtained and displayed regarding operation of the file server. Note that examples of techniques utilized to persistently store events at the file server until they are consumed (e.g., by one or more analytics VMs), may result in more accurate reporting and metrics being provided from the file analytics system. Because events are persistently stored until consumed, event loss may be reduced and/or eliminated. By reducing the incidence of event loss, resulting metrics calculated and/or reported by the analytics system may have increased accuracy. Examples of metrics, reporting and user interfaces for the file analytics system are described herein, including with reference to FIGS. 4-6. The metrics shown and described may be obtained, calculated, displayed, or otherwise manipulated using event data that may be obtained using persistent storage techniques and/or other techniques described herein.

As another example, techniques described herein for collecting metadata and/or auditing an analytics datastore using metadata collected from one or more snapshots may be advantageous in presenting accurate analytics information. For example, if active scans of the file server were utilized to collect metadata instead of snapshots, it is possible some directories or metadata may be missed in the collection process. As an active file server is scanned for metadata, for example, consider a directory D under a higher-level directory A in a file server that also contains another higher-level directory B. If the metadata collection process were to conduct a metadata scan of the file server during active operation, it may complete metadata collection from directory B and them begin metadata collection from directory A. However, directory D may then be moved, before its metadata is collected, to directory B. In such a scenario, the metadata collection from directory D may be incomplete or inaccurate. Accordingly, the use of snapshots to collect metadata used by an analytics system may improve the delivery of analytics. Examples of metrics, reporting and user interfaces for the file analytics system are described herein, including with reference to FIGS. 4-6. The metrics shown and described may be obtained, calculated, displayed, or otherwise manipulated using metadata that may be obtained from snapshots and/or using other techniques described herein.

As another example, techniques described herein for ensuring in-order processing of event data may be advantageous in presenting accurate analytics information. For example, if event data is processed out of order, analytics related to the use of the file system may be inaccurate or incomplete. Examples of metrics, reporting and user interfaces for the file analytics system are described herein, including with reference to FIGS. 4-6. The metrics shown and described may be obtained, calculated, displayed, or otherwise manipulated using event data that may be obtained using techniques intended to ensure the in-order processing of events and/or using other techniques described herein.

FIGS. 4 and 5 depict exemplary user interfaces 400 and 500/501, respectively, reporting various analytic data based on file server events, according to particular embodiments. The user interfaces 400, and 500/501 may be used, for example, to implement user interface 272 in some examples. As shown in FIG. 4, a top-left portion of the user interface 400 shows changes in capacity of a file server, a top-middle portion depicts age distribution of files managed by the file server, a top-right portion depicts a recent list of anomaly alerts. A middle-left portion of the user interface 400 depicts permissions denials, a center portion of the user interface 400 depicts file size distribution of files managed by the file server, and the middle-right portion of the user interface 400 depicts file-type distribution of files managed by the file server. A lower-left portion of the user interface 400 depicts a list of most active users of the file server, a lower-middle portion of the user interface 400 depicts a list of most accessed files managed by the file server, and the lower-right portion of the user interface 400 depicts trends in types of access operations performed by the file server.

In some examples, atop number of accessed files may be displayed (e.g., in the middle bottom of FIG. 4) together with their details—e.g., filename, file path, owner, and number of events performed on the file over a particular duration (e.g., last 7 days in the example of FIG. 4). A top 5 list is shown in FIG. 4, although other numbers of top files may be used in other examples, such as top 10 or another number. Clicking the file may further display a list of events associated with the file (e.g., an audit history). A top users widget (e.g., bottom left of FIG. 4) may display a top number of active users together with information about the users, such as username, last accessed file, number of activities performed by the user in a particular duration, etc. Clicking on a username in the widget may display a list of events (e.g., an audit history) associated with the user.

In some examples a file-type distribution widget may be included in a user interface (e.g., in a middle-right portion of the user interface 400 of FIG. 4). The file-type distribution may depict a number of file types (e.g., file extensions and/or categories) for a particular file server (e.g., file server 260 of FIG. 2A), and a quantity of files in each type. In the example of FIG. 4, a segmented bar is shown, with segments each corresponding to a category (e.g., a group of one or more file extensions) and a length of the segment corresponding to a number of flies of that type. The data may be displayed in other ways, for example a bar graph may depict file extensions along an x axis and count for a type of file and/or category on the y-axis.

In some examples, a file-size distribution widget may be included in a user interface (e.g., in a center portion of the user interface 400). The file-size distribution widget may display file distribution by size for a particular file server (e.g., file server 260 of FIG. 2A). The example of FIG. 4 illustrates a number of files fitting into each of several file size ranges. Other representations may be used in other examples. For example, a bar graph may be used having size (or size ranges) on an x-axis and a count of files on the y-axis.

A data age widget may be included in some examples (e.g., in a middle upper portion of FIG. 4). The data age widget may illustrate a relative age of files. In some example, the relative age may be based on a last access of the file. For example, the age of a file may refer to how much time has elapsed since the file was last accessed. In the example of FIG. 4, a total size of data is depicted in each of four age ranges (e.g., less than 3 months, 3-6 months, 6-12 months, >12 months). Other depictions may be used in other examples. A bar graph may show age of files on an x-axis and cumulative size of files of that age on the y-axis.

A files operations widget may be included in some examples (e.g., in a lower right portion of FIG. 4). A quantity of each of several event types (e.g., create file, read, write, delete, permission change) that have occurred in a file server over a queried time may be displayed.

A capacity trend widget may be included in some examples (e.g., in an upper left portion of FIG. 4). The capacity trend widget shows the pattern of capacity fluctuation for the file system. It shows the capacity e.g., storage added, removed and the net change for a particular duration which may be selected from the widget dropdown in some examples. The capacity calculation may be performed in some examples by an AVM. For example, the capacity trend may be regularly (e.g., hourly, every 15 minutes, every 30 minutes, or some other interval) calculated by the AVM using collected metadata and event data. For example, the AVM may query a file index of the data store to obtain added, deleted, and modified county and/or quantities for each file in a file server. A total change may be calculated based on a total change from the current query plus any previous calculated change amount. Net change may be calculated as files and/or quantity added minus files and/or quantity deleted. Generated statistics may be captured and indexed into a capacity index. A query may be made to the capacity index to provide the output shown in the widget.

An anomaly alert widget may be included in some examples (e.g., in an upper right portion of FIG. 4). The anomaly alert widget may show a list of latest anomalies in the file system. An anomaly may refer to, for example, a user performing a number and/or sequence of events that is recognized as anomalous (e.g., changing over a threshold number of file permissions, creating over a threshold number of files, etc.). Anomaly rues may, in some examples, be defined by one or more users of the analytics system described herein and stored in a location accessible to the AVM. The anomaly alert widget may display the anomalous action(s), together with an identification of a responsible user, and a number of files involved.

A permission denial widget may be included in some examples (e.g., in a mid-left portion of FIG. 4). The permission denial widget may display a number of users who performed a permission denied operation within a specified time period.

As shown in FIG. 5, the user interface 500 depicts a distribution of types of events (e.g., close file, create file, delete, make directory, open, read, rename, set attribute, write) performed by a particular user on the file server based on a query over a specified date range. In some examples, the event audit history and/or distribution may be shown per file, per file type, and/or per file server. The user interface 501 depicts a list of the events generated by the query over the specified date range. The user interfaces 400 and 500/501 depicted in FIGS. 4 and 5, respectively, are exemplary. It is appreciated that the user interfaces 400 and 500/501 may be modified to arrange the information differently. It is also appreciated that the user interfaces 400 and 500/501 may be modified to include additional data, to exclude some of the depicted data, or any combination thereof.

In some examples, the events processor 280, the query layer 286, and the policy management layer 283 may manage and facilitate administrator-set archival policies, such as time-based archival (e.g., archive data based on a last-accessed data being greater than a threshold), storage capacity-based archival (e.g., archiving certain data when available storage falls below a threshold), file-type (e.g., file extension) archival, other metadata property-based archival, or any combination thereof.

In some examples, data tiering policies may be determined, changed, and/or updated based on metadata and/or events data collected by file analytics systems. For example, the VFS 160 of FIG. 1A may implement data tiering. Data tiering generally refers to the process of assigning different categories of data to various levels or types of storage media, typically with the goal of reducing the total storage cost. Tiers may be determined by performance and/or cost of the media, and data may be ranked by how often it is accessed. Tiered storage policies typically may place the most frequently accessed data on the highest performing storage. Rarely accessed data may be stored on low-performance, cheaper storage. Storage tiers are often aligned with a stage in the data lifecycle. The main benefits of tiering data may be around how data is managed through its lifecycle. This is in line with best practice data management policies and can also contribute towards data center and storage management; often the success of tiering will be measured by cost impact.

Virtualized file servers, such as VFS 160 of FIG. 1A may implement storage tiering. For example, data may be stored in particular media in the storage pool 156 based on a tiering policy. For example, less frequently accessed data may be stored on a lower performing media. The file server VMs and/or controller VMs and/or hypervisors shown in FIG. 1A may be used to implement a tiering policy and determine on which media to store various data. For example, a tiering engine may be implemented one or more of the nodes of the VFS 160 and may direct the storage and/or relocation of files to a preferred tier of storage.

File analytics systems may provide information to the file server based on captured metadata and/or events data regarding the stored files. The information provided by analytics based on metadata and events may be used by the VFS 160 to implement, create, modify, and/or update tiering policies.

Individual files are may be tiered as objects in a tiered storage (e.g., implemented as part of and/or as an extension of storage pool 156 of FIG. 1A). When a file is moved to the tiered storage, for example at the direction or request of a tiering engine implemented in VFS 160, the data may be truncated from the primary storage in order to save space. The truncated file remains on the primary storage containing the metadata, e.g., ACLs, extended attributes, alternative data stream, and tiering information, e.g., pointers (such as URLs) to access the objects in the tiered storage containing the file data. When the truncated file on the primary storage is accessed by a client (e.g., by a user VM), the data is available from the tiered storage.

In some examples, the decision to tier and/or how and/or when to tier may be made at least in part by a policy engine implemented by the analytics VM 170 of FIG. 1A. For example, policy management layer 283 of FIG. 2A may be used to implement the policy engine. The policy engine may determine when to tier based on the tiering policies, file access patterns and/or attributes (e.g., metadata and/or event data obtained by the analytics VM 170 and stored in datastore). The policy engine may keep track of the results of the tiering and untiering executions. For example, when the data is tiered or recalled by a tiering engine of the virtual file server, an event may be generated (e.g., Op code=kTier or kRecall). The tiering event may be sent through the data pipeline (e.g., by producer message handler(s) 312 of FIG. 3 to events processor 316 of FIG. 3). In this manner, the file analytics system may store indications in the analytics datastore 320 that certain data has been tiered, and on which tier the data (e.g., files reside). Reports and other displays may then be accurate as to the tiering status of files in the virtualized file server.

User interfaces (e.g., UI 272 of FIG. 2A) may provide an interface for a user to view, set, and/or modify the tiering profile. The user interface may be used to obtain information about tiering targets and credentials to be used by the virtualized file server (e.g., VFS 160) to connect and upload files to the tiers. The captured profile details may be communicated to the virtualized file server (e.g., to the tiering engine) via remote command. The user may also set the tiering policy and/or desired free capacity via the UI and this may be stored on an analytics datastore (e.g., database 292 if FIG. 2A). Tiering criteria may be defined, for example exclusion criteria may be defined (e.g., for file size, particular shares, and/or file types, such as categories or extensions) to specify certain items that may not be subject to the tiering policy. Another tiering criteria may be file size and priority for tiering. Another tiering criteria may be tier threshold age. Another tiering criteria may be file type (e.g., category and/or extension) and priority. The policy engine (e.g., policy management 283 of FIG. 2A) may be implemented using cron job that may run periodically and may be based on tiering policy and desired capacity may wholly and/or partially determine the candidate files for moving to a particular tier. The list of files which meet the criteria for a particular tier may be communicated to the tiering engine of the VFS via a remote command.

The tiering engine of the VFS (which may be hosted, e.g., on node 102, node 104, and/or node 106 of FIG. 1A) may tier the files to the specified tiering targets responsive to instructions from the analytics policy engine. For example, the policy engine of the analytics system may evaluate a capacity of the VFS. If a capacity threshold is exceeded, the analytics system may itself and/or communicate with the VFS (e.g., with the tiering engine) to identify files in accordance with the tiering policy for tiering. The files may be grouped for tiering by ID in each share and a task entry may be made for each group. The tasks may be executed by the tiering engine of the VFS, which may in some examples generate the tasks, and in some examples may receive the tasks from the analytics system (e.g., the policy engine). Once the files have been tiered the tiering engine may send audit events for each of the tiered files to the analytics VM 170. The audit events may contain the object identifier (e.g., file ID) and the tier target (e.g., tier to which the file ID is tiered). The tier audit event may be stored in the datastore (e.g., database 292 of FIG. 2A) and the state of the file ID may be updated to “Tiered” when tiered. In case of tiering failure the audit event may contain a reason and file table entry for that file will be updated with it.

The user may (e.g., through UI 272) set an automatic recall policy while setting up the tiering policy. The recall policy may, for example, be based on how many accesses (e.g., reads and/or writes) within a period may trigger a recall. Other users (e.g., admins) may also initiate the recall of specific tiered files, according to the users' requests. In case of manual recall, a user may provide a file, directory and/or a share for recall. The request may be saved in an analytics datastore (E.g., analytics datastore 292 of FIG. 2A) and accessed by a backend recall process.

In some examples, the tiering engine of the VFS may collect file server statistics used to make a tiering decision (e.g., network bandwidth, pending tiering requests). The analytics VM 170 may access the file server statistics collected by the tiering engine, e.g., through one or more API calls and/or audit events. The file server statistics may be used by the analytics VM (e.g., the policy engine) to control the number of tiering requests provided to the VFS.

Based on the collected information and current state of the objects, the analytics system (e.g., analytics VM 170, such as through the policy engine) may calculate the projected storage savings using a particular tiering selection on a time scale. This information may aid users to configure snapshot and tiering policies for most effective utilization of the VFS, balancing between performance and cost in some examples.

Accordingly, tiering engines in a VFS may utilize file analytics determined based on collected metadata and/or events data from the VFRS to make decisions on which files to tier and subsequently truncate from the primary storage. File analytics systems (e.g. AVMs) may additionally or instead decide to untier files based on user defined recall policy (e.g., based on access pattern as determined using collected event data and metadata) and/or based on manual trigger. The policy engine of the analytics VM may generally include a collection of services which may work together to provide this functionality. The policy engine may execute the tiering policy in the background, and call VFS APIs to tier and recall files. The policy engine may keep track of tiered files, and/or the files in the process of being tiered or recalled.

In some examples, the events processor 280, the security layer 287, and the alert and notification component 281 may be configured to analyze the received event data to detect security issues; and/or irregular, anomalous, and/or malicious activity within the file system. For example, the events processor 280 and the alert and notification component 281 may detect malicious software activity (e.g., ransomware) or anomalous user activity (e.g., deleting a large amount of files, deleting a large share, etc.), and the security layer 287 may be configured to provide an alert or notification (e.g., email, text, notification via the user interfaces 272, etc.) of the malicious software activity and/or anomalous user activity.

In some examples, the alert and notification component 281 may include an anomaly detection service that runs in the back ground. The anomaly detection service may scan configuration details and file system usage data retrieved from the analytics datastore (e.g., via communication with elasticsearch) to detect anomalies. In an example, the anomaly detection service may provide detected anomalies per configuration. In some examples, the anomaly detection service may find anomalies based on configured threshold values and the file system usage information. If there are any anomalies, the alert and notification component 281 may send a notification (e.g., text, email, UI alert, etc.) to users, as well as may also store the detected anomalies in the analytics datastore. In some examples, the anomaly detection service may run continuously. In other examples, the anomaly detection service may run periodically and/or according to a schedule. Examples of anomalies may include file access anomalies (e.g., a situation where a specific file was accessed too many times by one or more users within the detection interval), user operation anomalies (e.g., a situation where a user has performed a file operation (e.g., create, delete, permission change) too many times within the detection interval), etc. In some examples, the anomaly detection service may be capable of going back to find anomalies missed when the anomaly detection service was unavailable.

In some examples, the machine learning service 285 may be implemented to enhance detection of malicious software activity and/or anomalous user activity. FIG. 6 depicts an example user interface 600 reporting various anomaly-related data, according to particular embodiments. As shown in FIG. 6, the top portion of the user interface 600 shows changes in a number of detected anomalous events over time. The lower left portion of the user interface 600 depicts a list of users that have cause the most detected anomalous activity, the lower middle portion of the user interface 600 depicts a list of folders have experienced the most detected anomalous activity, and the lower right portion of the user interface 600 depicts frequency of each type of anomaly-inducing event. The user interface 600 depicted in FIG. 6 is exemplary. It is appreciated that the user interface 600 may be modified to arrange the information differently. It is also appreciated that the user interface 600 may be modified to include additional data, to exclude some of the depicted data, or any combination thereof.

In some examples, file analytics systems may detect and take action responsive to the detection of suspected or actual ransomware. Ransomware is a type of malicious software, examples of which may be designed to block access to a computer system or computer files until a sum of money is paid. Most ransomware variants encrypt user files on the affected computer, hold the decryption key, making them inaccessible, and demand a ransom payment to restore access. Ransomware is a growing threat enterprise is trying to address through a traditional approach OR through supervised machine learning and Artificial Intelligence solutions OR a combination of these two. Some of the traditional approaches to handle ransomware attacks are—

A) Intrusive detection at the network layer and monitor the end point.—Network based systems typically focus on who and what are being attacked rather than detecting evidence of infection and are generally not designed to inform the end-user that an infection has been detected

B) Taking a backup or snapshot of the file system on a regular interval—This approach may only have partial success as complete data recovery is generally not possible. Data created between two backups/snapshots is bound to be lost.

C) Detect ransomware through pre-defined digital signatures—This can help if there is a repetition of already known ransomware (currently contains around 3000+ known ransomware file name and extension patterns that are updated daily). However, this leads to significant system vulnerability to new and non-cataloged ransomware.

Virtualized file servers described herein, such as VFS 160 may have an ability to maintain an allowlist (e.g., contains all file extensions allowed for an enterprise or other user) and denylist (e.g., contains all file extensions that are not allowed for an enterprise or other user) file extensions based on the customer needs and act as a preventive layer.

Examples described herein include systems, methods, and computer readable media encoded with instructions to perform ransomware prevention, detection, remediation, and/or recovery. In some examples, an automated workflow is provided what may allow for ransomware to be detected based on events recorded from a file server, and upon detection, the workflow may take immediate action to remediate and/or recover from the ransomware attack.

As described herein, a files analytics system may be used to track events (e.g., reads, writes, change files). Virtualized file servers, such as VFS 160 of FIG. 1A may include an API interface for file blocking, and may provide multiple snapshots of the files made available by the file server. Analytics systems may utilize events and/or patterns of events to detect suspected ransomware. For example, ransomware may follow certain steps for infecting files. In some examples, ransomware may delete shadow copies of files (e.g., default backups made by an OS), an executable for ransomware may be copied to a system folder and may receive elevated permissions, a service may be created that runs during encryption of files. During encryption of files, encrypted files are renamed and ransom notes may be created. A log file may be created listing the number of targeted files, the number of encrypted files, and the number for files not encrypted due to access issues, and then the service may be stopped and deleted. File analytics systems may review event data to detect ransomware behavior—for example, analytics may identify the renaming of files during encryption and/or creation and storage of ransom notes. Each ransomware may have its own mechanism for renaming infected files and changing their extension and name. Known or suspected ransomware signatures (e.g., renaming patters and/or extensions) may be stored and acted on by file analytics systems.

File Analytics may use the virtualized file server's “File Blocking Policy” and “SSR” (Self Service Restore) capabilities to prevent attacks from known ransomware signatures. For example, the file analytics system may utilize an API interface to the VFS 160 of FIG. 1A to perform file blocking to block files from being created and/or renamed to names or properties of known ransomware file names or properties. Blocking generally refers to preventing create and/or rename file operations. The AVM 170 may add rules to a rule storage accessed by the VFS 160 to implement these policies and prevent certain actions and/or file extensions from occurring in the VFS 160. For example, the analytics VM 170 may maintain a database of known ransomware file extension(s) (example *.zzz or *.cfg) or matching file name and extension pattern (example—a*b.zzz, *-info.cfg*, info*.*-att). These extensions and/or rules may be communicated to the VFS 160 for use in implementing file blocking policies. Once configured, any files created or renamed in the VFS 160 may be blocked from being stored or renamed to prohibited extensions or extension patterns. The VFS 160 may provide an event to analytics VM 170 to notify the analytics system of the attempt to create or rename a file with a known ransomware signature. For example an “access denied [file blocking policy]” message may be generated (e.g., by an FSVM) when access and/or rename of a blocked file is attempted. This event may be provided to the analytics VM and logged in an events datastore. The virtualized file server may have an SSR policy definition which allows the virtualized file server to create a snapshot at a regular interval—e.g., an immutable copy of the file system. The analytics VM 170 may interface with the virtualized file server to display the current SSR configuration. If any of the shares or exports is not protected (e.g., SSR policy not enabled) or SSR policy is not defined, the analytics VM 170 may create and protect them.

Detection: File analytics systems (e.g., analytics VM 170 of FIG. 1A) may detect ransomware attacks through a set of file operation events. If an attack happens using existing ransomware signature, file blocking events may be analyzed to detect the attack. However, if any new ransomware signatures occur, the analytics VM may analyze the set of file operation events to detect the ransomware attack. For example, the analytics VM 170 may monitor and/or query events stored in the datastore 190 of FIG. 1A and/or datastore 320 of FIG. 3 to identify ransomware. Examples of event patterns which the analytics VM 170 may recognize as a ransomware attack are provided below.

Overwrite:—In this pattern, a user file is overwritten by opening the file, reading the content, writing the encrypted contents in-place, and then closing the file. The file may additionally be renamed. In some examples, the analytics VM 170 may recognize this pattern of events as a ransomware attack. When this pattern of events occurs, as identified by the pattern of events being received by the events processor 316 and/or being stored in the analytics datastore 320, the analytics VM 170 may identify the ransomware attack and issue a notification and/or take a remediation action.

Read-Encrypt-Delete: In this pattern, file contents may be read, encrypted contents may be written, the files deleted without wiping them from the storage. This could be accomplished by moving the file to temporary folders, doing the operations and moving back the encrypted files to the original directory.

In some examples, the analytics VM 170 may recognize this pattern of events as a ransomware attack. When this pattern of events occurs, analytics VM 170 may identify the ransomware attack and issue a notification and/or take a remediation action.

Read-Encrypt-Override: In this pattern, a user file may be read, a new encrypted version may be created and the original file may be securely deleted or overwritten (e.g., using a move). This uses two independent access streams to read and write the data.

In some examples, the event pattern analysis may be implemented by analytics VM 170 using a supervised machine learning algorithm and/or by similarity measurement and consideration of file entropy (e.g., a measure of the “randomness” of the data in a file—measured in a scale of 1 to 8 (8 bits in a byte), where typical text files will have a low value, and encrypted or compressed files will have a high measure). The machine learning algorithm may identify files that are or have been subject to a ransomware attack. In some example, the similarity measurement and/or file entropy measurement may be indicative that the file is or has been subject to a ransomware attack.

In some examples, events processor 280 of FIG. 2A and/or events processor 316 of FIG. 3 may be used to detect ransomware attacks. For example, the events processor may scan incoming events for “access denied [file blocking policy]” events based on requests to create and/or rename files. The events processor may then ascertain whether the extension of the file names and/or file name pattern associated with the attempted events matches with extensions and/or file name patterns stored in a denylisted set of known and/or suspected ransomware. Such a list may be stored in-memory by the events processor in some examples. Audit events determined to be associated with ransomware may be marked accordingly (e.g., by updating a field, e.g., a ‘ransomware_attack’ field) in the record for the event stored in the datastore. Other indicators may also be used. Such an indicator may support later queries of the datastore for ransomware events and related analytics. The events processor may periodically reload (e.g., through an event driven framework supported by publish subscribe mechanism(s)) new and/or changed ransomware signatures for detection. The ransomware signatures may be added and/or changed, for example, by a user through a user interface.

Remediation: Once analytics VM 170 (e.g., using an anomaly engine detecting above-described patterns and/or running a machine learning algorithm) detects the ransomware attack, the analytics VM 170 may A) send an alert (such as an email alert, the alert specifics may be stored and adjusted in an alert policy accessible to File Analytics) B) Makes an API call to the virtualized file server 160 and mark the share READ only—e.g., the file share storing the affected file may be marked READ only so no further changes may be accepted. In some examples, the file share may include only the file subject to the detected ransomware attack; in some examples, the file share may include other files in addition to the file subject to the detected ransomware attack, such as all files in the file system stored at the same computing node and/or same block or volume; and/or C) Blocks the users/client IP address accessing the share subject to the ransomware attack (as defined in the File analytics policy). The system may also generate report on a number of files (and file details) impacted with details of the paths that can be used for recovery purpose.

For example, an event driven framework supported by a publish-subscribe mechanism may be used to send an email notification to end users when a ransomware attack is detected and/or suspected. Once a ransomware attack as been detected and/or suspected (e.g., by an events processor), the corresponding share of the VFS having the implicated file may be added to the existing topic (e.g., Kafka topic). The events processor may call a notify process to send an email notification.

Recovery: By the time a ransomware attack is detected and remediation kicks-in, there is a possibility of few files being compromised. The file analytics system may auto detect the compromised files by analyzing events data and building the path for the affected files. Once the files path and name is available, the files analytics system (e.g., analytics VM 170, which may have a client available to mount the share or snapshot) may—

Mount the immutable snapshot (\\share-name\.snapshot) associated with the file and/or share subject to the ransomware attack. The analytics VM 170 may traverse the files of the snapshot based on the file path and copy those files in the “recover-temp” folder in the local file analytics system.

Mount the share where documents are compromised (e.g., \\share-name\folders\file-path) and delete those files. Once the folders/files are deleted, the analytics VM 170 may copy files from the “recover-temp” folder in the same directory. In this manner, the attacked files may be deleted and replaced with a most recent version of the files from prior to the attack from a stored snapshot.

Once this is completed, the analytics VM 170 may retrofit the configuration to file blocking policy to ensure the virtualized file server is resilient to future attack from a same ransomware attacker—e.g., filenames or signatures used by the ransomware attacker may be blocked and/or the IP address or other identifying indicia of the attacker may be blocked.

Accordingly, systems and methods for ransomware detection, remediation, and/or prevention may be provided which may improve resiliency of a virtualized file server to ransomware attack. A variety of user interfaces may be provided to administer, and/or receive information about ransomware in a virtualized file server (e.g., utilizing UI 272 of FIG. 2A). In some examples, the UI 272 may provide a ransomware policy management page allowing for a user to add and/or remove and/or modify file extensions and file name patterns that analytics VM 270 may recognize and report as ransomware. In some examples, the UI 272 may provide a display of a ransomware dashboard. The dashboard may display for example, an infection status (e.g., number of infected files, number of infected shares, and/or provide an infected file list for display and/or download). The dashboard may display SSR status (e.g., a list of shares that have SSR enabled). The dashboard may display a number of vulnerabilities (e.g., infection attempts)—this may include, for example, total vulnerabilities, vulnerable shares, and/or malicious clients. The dashboard may display most recent ransomware attack attempts (e.g., time of attach, share, client, and/or blocked file extension). The dashboard may display a list of vulnerable shares (e.g., share name, path, status, protection status, and/or vulnerabilities). The dashboard may display a list of malicious clients (e.g., client IP, user, share accessed, and/or operation performed).

The information for the dashboard may be obtained by analytics VM 270 querying metadata and/or events data maintained in analytics datastore 292 (e.g., datastore 320 of FIG. 3). For example, the analytics VM may utilize a query for audit events having an indicator of ransomware attack (e.g., in a ransomware attack field of the event store). Counting the number of such events may provide a number of infection attempts, and the shares corresponding to files implicated by those events may provide a list of vulnerable shares.

FIG. 7 illustrates a clustered virtualization environment 700 implementing file server virtual machine 766 of a virtualized file server (VFS) and an analytics VM 870 according to particular embodiments. The analytics VM 770 may include an events processor to retrieve, organize, aggregate, and/or analyze information corresponding to the VFS file system in an analytics datastore. The VFS 160 and/or the analytics VM 170 of FIG. 1A and/or the VFS 260 and/or the analytics VM 270 of FIG. 2A, and/or the VFS 360 and/or the analytics VM 370 of FIG. 3 may implement the FSVM 766 of the VFS file system and/or the analytics VM 770, respectively. The architecture of FIG. 8 can be implemented using a distributed platform that contains a cluster of multiple host machines that manage a storage pool, which may include multiple tiers of storage.

In some examples, the analytics VM 770 and/or the FSVM 766 may include protections to prevent event data from being lost. In some examples, the FSVM 766 may store event data until it is consumed by the analytics VM 770. For example, if the analytics VM 770 (e.g., or the message system) becomes unavailable, the FSVM 766 may store the event data until the analytics VM 770 (e.g., or the message system) becomes available.

To support the persistent storage, and well as provision of the event data to the analytics VM 270, the FSVM 766 may include an audit framework 762 that includes a dedicated event log (e.g., tied to a FSVM-specific volume group) that is capable of being scaled to store all event data and/or metadata for a particular FSVM until successfully sent to the analytics VM 770. The audit framework may include an audit queue, an event logger, an event log, and a service connector. The audit queue may be configured to receive event data and/or metadata from the FSVM 766 via network file server or server message block server communications, and to provide the event data and/or metadata to the event logger. The event logger may be configured to store the received event data and/or metadata from the audit queue, as well as retrieve requested event data and/or metadata from the event log in response to a request from the service connector. The service connector may be configured to communicate with other services (e.g., such as a message topic broker/events processor of the analytics VM 770) to respond to requests for provision of event data and/or metadata, as well as receive acknowledgments when event data and/or metadata are successfully received by the analytics VM 770. The events in the event log may be uniquely identified by a monotonically increasing sequence number, will be persisted to an event log and will be read from it when requested by the service connector.

The event logger may coordinate all of the event data and/or metadata writes and reads to and from the event log, which may facilitate the use of the event log for multiple services. The event logger may keep the in-memory state of the write index in the event log, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

Multiple services may be able to read from event log via their own service connectors (e.g., Kafka connectors). A service connector may have the responsibility of sending event data and metadata to the requesting service (e.g., such as the message topic broker/events processor of the analytics VM 770) reliably, keeping track of its state, and reacting to its failure and recovery. Each service connector may be tasked with persisting its respective read index, as well as being able to communicate the respective read index to the event logger when initiating an event read. The service connector may increment the in-memory read index only after receiving acknowledgement from its corresponding service and will periodically persist in-memory state. The persisted read index value may be read at start/restart and used to set the in-memory read index to a value from which to start reading from.

During service start/recovery, service connector may detect its presence and initiate an event read by communicating the read index to the event logger to read from the event log as part of the read call. The event logger may use the read index to find the next event to read and send to the requesting service (e.g., the message topic broker/events processor of the analytics VM 770) via the service connector. As previously discussed, the audit framework and event log may be tied to a particular FSVM in its own volume group. Thus, if a FSVM is migrated to another computing node, the event log may move with the FSVM and be maintained in the separate volume group from event logs of other FSVMs.

FIG. 8 depicts a block diagram of components of a computing node (device) 800 in accordance with embodiments of the present disclosure. It should be appreciated that FIG. 8 provides only an illustration of one implementation and does not imply any limitations with regard to the environments in which different embodiments may be implemented. Many modifications to the depicted environment may be made. The computing node 800 may implemented as at least part of the system 100 of FIG. 1, the clustered virtualization environment 200 of FIG. 2, and/or may be configured to perform host at least part of the virtualized file server 360 and/or the analytics virtual machine 370 of FIG. 3 and/or the FSVM 766 and/or the analytics virtual machine 770 of FIG. 7. In some examples, the computing node 800 may be a standalone computing node or part of a cluster of computing nodes configured to host a file analytics tool 807.

The computing node 800 includes a communications fabric 802, which provides communications between one or more processor(s) 804, memory 806, local storage 808, communications unit 810, I/O interface(s) 812. The communications fabric 802 can be implemented with any architecture designed for passing data and/or control information between processors (such as microprocessors, communications and network processors, etc.), system memory, peripheral devices, and any other hardware components within a system. For example, the communications fabric 802 can be implemented with one or more buses.

The memory 806 and the local storage 808 are computer-readable storage media. In this embodiment, the memory 806 includes random access memory RAM 814 and cache 816. In general, the memory 806 can include any suitable volatile or non-volatile computer-readable storage media. In an embodiment, the local storage 808 includes an SSD 822 and an HDD 824.

Various computer instructions, programs, files, images, etc. may be stored in local storage 808 for execution by one or more of the respective processor(s) 804 via one or more memories of memory 806. In some examples, local storage 808 includes a magnetic HDD 824. Alternatively, or in addition to a magnetic hard disk drive, local storage 808 can include the SSD 822, a semiconductor storage device, a read-only memory (ROM), an erasable programmable read-only memory (EPROM), a flash memory, or any other computer-readable storage media that is capable of storing program instructions or digital information.

The media used by local storage 808 may also be removable. For example, a removable hard drive may be used for local storage 808. Other examples include optical and magnetic disks, thumb drives, and smart cards that are inserted into a drive for transfer onto another computer-readable storage medium that is also part of local storage 808. The local storage may be configured to store executable instructions for the file analytics tool 807 or the audit framework 809. The file analytics tool 807 may perform operations described with reference to the AVM 170 of FIG. 1, the AVM 270 of FIG. 2, the analytics VM 370 of FIG. 3, and/or the analytics VM 770 of FIG. 7, in some examples. The audit framework 809 may perform operations described with reference to the audit framework of the VFS 160 of FIG. 1, the audit framework of the VFS 260 of FIG. 2, the audit framework 362 of FIG. 3, and/or the audit framework 762 of FIG. 7, in some examples.

Communications unit 810, in these examples, provides for communications with other data processing systems or devices. In these examples, communications unit 810 includes one or more network interface cards. Communications unit 810 may provide communications through the use of either or both physical and wireless communications links.

I/O interface(s) 812 allows for input and output of data with other devices that may be connected to computing node 800. For example, I/O interface(s) 812 may provide a connection to external device(s) 818 such as a keyboard, a keypad, a touch screen, and/or some other suitable input device. External device(s) 818 can also include portable computer-readable storage media such as, for example, thumb drives, portable optical or magnetic disks, and memory cards. Software and data used to practice embodiments of the present disclosure can be stored on such portable computer-readable storage media and can be loaded onto local storage 808 via I/O interface(s) 812. I/O interface(s) 812 also connect to a display 820.

Display 820 provides a mechanism to display data to a user and may be, for example, a computer monitor. In some examples, a GUI associated with the user interface 272 of FIG. 2A may be presented on the display 820, such as the example user interfaces depicted in FIGS. 4-6.

Of course, it is to be appreciated that any one of the examples, embodiments or processes described herein may be combined with one or more other examples, embodiments and/or processes or be separated and/or performed amongst separate devices or device portions in accordance with the present systems, devices and methods.

Finally, the above-discussion is intended to be merely illustrative of the present system and should not be construed as limiting the appended claims to any particular embodiment or group of embodiments. Thus, while the present system has been described in particular detail with reference to exemplary embodiments, it should also be appreciated that numerous modifications and alternative embodiments may be devised by those having ordinary skill in the art without departing from the broader and intended spirit and scope of the present system as set forth in the claims that follow. Accordingly, the specification and drawings are to be regarded in an illustrative manner and are not intended to limit the scope of the appended claims. 

What is claimed is:
 1. At least one non-transitory computer-readable storage medium including instructions that, when executed by a computing node, cause the computing node to: mount a snapshot associated with a file server virtual machine (FSVM) of a virtualized file server (VFS); retrieve first metadata from a first portion of the snapshot corresponding to data items managed by the FSVM; add a checkpoint to indicate that the first metadata of the first portion of the snapshot is obtained; retrieve second metadata from a second portion of the snapshot corresponding to the data items managed by the FSVM; update the checkpoint to indicate that the second metadata has been obtained from the second portion of the snapshot; and after an interruption, determine where to resume obtaining metadata from the snapshot based on the checkpoint.
 2. The computer readable media of claim 1, wherein the instructions, when executed, cause the computing node to obtain third metadata using a second snapshot associated with a second FSVM for a subset of data items of a share managed by the second FSVM of the VFS in response to the first metadata indicating that that the second FSVM manages the subset of data items of the share managed by the second FSVM.
 3. The computer readable media of claim 2, wherein the instructions, when executed, cause the computing node to analyze the first metadata to detect a hierarchy of the share including the subset of data items managed by the second FSVM.
 4. The computer readable media of claim 1, wherein the instructions, when executed, cause the computing node to generate an event based on detection of a metadata change for a data item after comparing the first metadata to third metadata associated with a scan of a second snapshot.
 5. The computer readable media of claim 4, wherein the instructions, when executed, cause the computing node to obtain the third metadata from the second snapshot.
 6. The computer readable media of claim 4, wherein the instructions, when executed, cause the computing node to generate a move, add, or delete event for the data item based on a comparison of the first metadata to the third metadata.
 7. The computer readable media of claim 1, wherein the instructions, when executed, cause the computing node to create an entry in an analytics data store for a metadata category of a first data item based on the first metadata in response to lack of detection of an entry corresponding to the metadata category for the first data item.
 8. The computer readable media of claim 7, wherein the instructions, when executed, cause the computing node to ignore the metadata category for the data item included in the first metadata in response to detection of that an entry exists for the metadata category of the first data item exists.
 9. The computer readable media of claim 1, wherein the instructions, when executed, cause the computing node to create a first entry in an analytics datastore based on the first metadata.
 10. The computer readable media of claim 9, wherein the instructions, when executed, cause the computing node to create an event entry for the data item in the analytics datastore based on an event data record received via an event pipeline.
 11. The computer readable media of claim 10, wherein the instructions, when executed, cause the computing node to create the event entry for the data item to present a change to the data item relative to a state indicated by the first entry.
 12. A system comprising: a distributed file server comprising a cluster of file server virtual machines (FSVMs), wherein the distributed file server is configured to generate a first snapshot corresponding to first data items managed of the distributed file server managed by a first FSVM of the cluster of FSVMs; and an analytics virtual machine configured to access the first snapshot to obtain first metadata for a first share, wherein the analytics virtual machine is further configured to analyze the first metadata to determine storage locations of data items of the first share, wherein, in response to a determination that a subset of the data items of the first share are managed by a second FSVM of the cluster of FSVMs, access a second snapshot associated with the second FSVM to retrieve second metadata of the share corresponding to the subset of data items.
 13. The system of claim 12, wherein the analytics virtual machine is further configured to add a checkpoint to indicate where to start a next access of the first snapshot.
 14. The system of claim 12, wherein the distributed file server is configured to generate the second snapshot corresponding to second data items managed of the distributed file server managed by the second FSVM.
 15. The system of claim 12, wherein the analytics virtual machine is further configured to analyze the first metadata to detect a hierarchy of the share including the subset of data items managed by the second FSVM.
 16. The system of claim 12, wherein the analytics virtual machine is further configured to generate, via the analytics tool, an event based on detection of a metadata change for one of the first data items after comparing the first metadata to third metadata associated with an access of a third snapshot.
 17. The system of claim 16, wherein the analytics virtual machine is further configured to access the third snapshot to retrieve the third metadata.
 18. The system of claim 12, wherein the analytics virtual machine is further configured to create an entry in an analytics data store for a metadata category of one of the first data items based on the first metadata in response to lack of detection of an entry corresponding to the metadata category of the one of the first data items.
 19. The system of claim 18, wherein the analytics virtual machine is further configured to ignore the metadata category for the one of the first data items included in the first metadata in response to detection of that an entry exists for the metadata category of the one of the first data items.
 20. A method, comprising: mounting, by an analytics virtual machine, a snapshot associated with a file server virtual machine (FSVM) of a virtualized file server (VFS); accessing a first portion of the snapshot to retrieve first metadata corresponding to data items managed by the FSVM; adding a checkpoint to indicate that an access of the first portion of the snapshot is complete; accessing a second portion of the snapshot to retrieve second metadata corresponding to the data items managed by the FSVM; updating the checkpoint to indicate that the access of the first portion and the second portion of the snapshot is complete; and after an interruption, determining where to resume scanning of the snapshot based on the checkpoint.
 21. The method of claim 20, further comprising accessing a second snapshot associated with a second FSVM to gather metadata for a subset of data items of a share managed by the second FSVM of the VFS in response to the first metadata indicating that that the second FSVM manages the subset of data items of the share.
 22. The method of claim 21, further comprising analyzing the first metadata to detect a hierarchy of the share including the subset of data items managed by the second FSVM.
 23. The method of claim 20, further comprising generating an event based on detection of a metadata change for a data item after comparing the first metadata to third metadata associated with an access of a second snapshot.
 24. The method of claim 23, further comprising accessing the second snapshot to retrieve the third metadata.
 25. The method of claim 23, further comprising generating a move, add, or delete event for the data item based on a comparison of the first metadata to the third metadata.
 26. The method of claim 20, further comprising creating an entry in an analytics data store for a metadata category of a first data item based on the first metadata in response to lack of detection of an entry corresponding to the metadata category for the first data item.
 27. The method of claim 26, further comprising ignoring the metadata category for the data item included in the first metadata in response to detection of that an entry exists for the metadata category of the first data item exists.
 28. The method of claim 20, wherein the instructions, when executed, cause the computing node to create a first entry in an analytics datastore based on the first metadata. 